From: Qasim Ijaz <qasdev00@gmail.com>
To: Jiri Kosina <jikos@kernel.org>
Cc: bentiss@kernel.org, gargaditya08@live.com, jirislaby@kernel.org,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v2] HID: appletb-kbd: fix memory corruption of input_handler_list
Date: Thu, 3 Jul 2025 10:31:39 +0100 [thread overview]
Message-ID: <aGZN-0aYscZMYpld@gmail.com> (raw)
In-Reply-To: <qp120s01-q22q-52rr-97n2-or6o30n1qrqq@xreary.bet>
On Thu, Jul 03, 2025 at 09:38:27AM +0200, Jiri Kosina wrote:
> On Fri, 27 Jun 2025, Qasim Ijaz wrote:
>
> > In appletb_kbd_probe an input handler is initialised and then registered
> > with input core through input_register_handler(). When this happens input
> > core will add the input handler (specifically its node) to the global
> > input_handler_list. The input_handler_list is central to the functionality
> > of input core and is traversed in various places in input core. An example
> > of this is when a new input device is plugged in and gets registered with
> > input core.
> >
> > The input_handler in probe is allocated as device managed memory. If a
> > probe failure occurs after input_register_handler() the input_handler
> > memory is freed, yet it will remain in the input_handler_list. This
> > effectively means the input_handler_list contains a dangling pointer
> > to data belonging to a freed input handler.
> >
> > This causes an issue when any other input device is plugged in - in my
> > case I had an old PixArt HP USB optical mouse and I decided to
> > plug it in after a failure occurred after input_register_handler().
> > This lead to the registration of this input device via
> > input_register_device which involves traversing over every handler
> > in the corrupted input_handler_list and calling input_attach_handler(),
> > giving each handler a chance to bind to newly registered device.
> >
> > The core of this bug is a UAF which causes memory corruption of
> > input_handler_list and to fix it we must ensure the input handler is
> > unregistered from input core, this is done through
> > input_unregister_handler().
>
> Applied to hid.git#for-6.16/upstream-fixes, thanks!
Thanks Jiri, would it also be possible to apply this one too:
<https://lore.kernel.org/all/20250624125256.20473-1-qasdev00@gmail.com/>
Its a bug fix I sent before this a while back but I think it may have been buried
deep down in your inbox causing you to miss it.
Thanks,
Qasim
>
> --
> Jiri Kosina
> SUSE Labs
>
prev parent reply other threads:[~2025-07-03 9:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-27 11:01 [PATCH v2] HID: appletb-kbd: fix memory corruption of input_handler_list Qasim Ijaz
2025-07-03 7:38 ` Jiri Kosina
2025-07-03 9:31 ` Qasim Ijaz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aGZN-0aYscZMYpld@gmail.com \
--to=qasdev00@gmail.com \
--cc=bentiss@kernel.org \
--cc=gargaditya08@live.com \
--cc=jikos@kernel.org \
--cc=jirislaby@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).