[PATCH] HID: usbhid: sanitize hid->uniq against non-printable bytes

[PATCH] HID: usbhid: sanitize hid->uniq against non-printable bytes

[Taylor Hewetson]

Some USB HID devices (observed on ASUS ROG Azoth via its 2.4GHz
dongle, USB ID 0b05:1a85) report an iSerialNumber string whose
USB string descriptor declares a longer length than the actual
serial, leaving uninitialized firmware memory - including control
characters such as 0x18 - appended to the returned string.

These non-printable bytes propagate into hid->uniq, which in turn
populates /sys/class/input/inputN/uniq. Downstream userspace
components (systemd sd-device property_is_valid(), and by extension
mutter input enumeration on GNOME Wayland sessions) reject devices
with control characters in their uniq, rendering otherwise-
functional input devices unusable in graphical sessions despite
the kernel input layer correctly translating keypresses.

Truncate hid->uniq at the first byte outside the printable ASCII
range (0x20..0x7e) after the serial is read.

Signed-off-by: Taylor Hewetson <taylor@exponent.digital>
---
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1427,8 +1427,17 @@
 		snprintf(hid->phys + len, sizeof(hid->phys) - len,
 			 "%d", intf->altsetting[0].desc.bInterfaceNumber);
 
-	if (usb_string(dev, dev->descriptor.iSerialNumber, hid->uniq, 64) <= 0)
+	if (usb_string(dev, dev->descriptor.iSerialNumber, hid->uniq, 64) <= 0) {
 		hid->uniq[0] = 0;
+	} else {
+		size_t i;
+		for (i = 0; i < sizeof(hid->uniq) && hid->uniq[i]; i++) {
+			if (hid->uniq[i] < 0x20 || hid->uniq[i] > 0x7e) {
+				hid->uniq[i] = 0;
+				break;
+			}
+		}
+	}
 
 	usbhid = kzalloc(sizeof(*usbhid), GFP_KERNEL);
 	if (usbhid == NULL) {

Re: [PATCH] HID: usbhid: sanitize hid->uniq against non-printable bytes

[Greg KH]

On Sat, Apr 18, 2026 at 02:58:23PM +1200, Taylor Hewetson wrote:
> Some USB HID devices (observed on ASUS ROG Azoth via its 2.4GHz
> dongle, USB ID 0b05:1a85) report an iSerialNumber string whose
> USB string descriptor declares a longer length than the actual
> serial, leaving uninitialized firmware memory - including control
> characters such as 0x18 - appended to the returned string.
> 
> These non-printable bytes propagate into hid->uniq, which in turn
> populates /sys/class/input/inputN/uniq. Downstream userspace
> components (systemd sd-device property_is_valid(), and by extension
> mutter input enumeration on GNOME Wayland sessions) reject devices
> with control characters in their uniq, rendering otherwise-
> functional input devices unusable in graphical sessions despite
> the kernel input layer correctly translating keypresses.
> 
> Truncate hid->uniq at the first byte outside the printable ASCII
> range (0x20..0x7e) after the serial is read.

Why aren't we doing this in the USB core instead of forcing all users of
this to do it instead?

thanks,

greg k-h

USB: core: sanitize string descriptors against C0 control characters

[Taylor Hewetson]

Some USB devices report string descriptors with a declared length
greater than the actual string, leaving uninitialized firmware memory
- often including C0 control characters such as 0x18 - appended to
the returned string. This has been observed on the ASUS ROG Azoth
2.4GHz dongle (USB ID 0b05:1a85), where the trailing bytes make their
way into hid->uniq and then /sys/class/input/inputN/uniq.

Downstream userspace components then reject the device. systemd's
sd-device property_is_valid() treats any string property containing
control characters as invalid and refuses to set ID_SERIAL_SHORT,
which in turn prevents the device from being tagged with seat. On
GNOME Wayland, mutter silently declines to open input devices that
are missing this tagging, leaving the keyboard visible and producing
keycodes at the kernel layer but dead to the user in a graphical
session.

Truncate the returned UTF-8 string at the first C0 control character
(0x00..0x1F) or DEL (0x7F). Printable Unicode beyond ASCII is left
intact, so legitimate non-ASCII serials (e.g. European manufacturers)
continue to work. Callers that previously received a string with
trailing garbage now receive the clean leading portion, which is
well-formed UTF-8 and safe for all downstream consumers.

Signed-off-by: Taylor Hewetson <taylor@exponent.digital>
---

Changes since v1:
 - Move the sanitization from drivers/hid/usbhid/hid-core.c to
   drivers/usb/core/message.c so that all usb_string() callers
   benefit, not just usbhid. (Greg KH)
 - Broaden the scope from "ASUS Azoth workaround" to "well-formed
   string guarantee for usb_string()"; update commit message
   accordingly.

v1: https://lore.kernel.org/all/20260418025823.21767-1-taylor@exponent.digital/

--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1052,6 +1052,25 @@
 			UTF16_LITTLE_ENDIAN, buf, size);
 	buf[err] = 0;
 
+	/*
+	 * Some devices report string descriptors with a declared length
+	 * greater than the actual serial, leaving uninitialized firmware
+	 * memory (often including C0 control characters) appended to the
+	 * returned string. Truncate at the first control character so
+	 * callers get a clean, well-formed string.
+	 */
+	{
+		int i;
+		for (i = 0; i < err; i++) {
+			unsigned char c = buf[i];
+			if (c < 0x20 || c == 0x7f) {
+				buf[i] = 0;
+				err = i;
+				break;
+			}
+		}
+	}
+
 	if (tbuf[1] != USB_DT_STRING)
 		dev_dbg(&dev->dev,
 			"wrong descriptor type %02x for string %d (\"%s\")\n",