| From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-21948: HID: appleir: Fix potential NULL dereference at raw event handle |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| HID: appleir: Fix potential NULL dereference at raw event handle |
| |
| Syzkaller reports a NULL pointer dereference issue in input_event(). |
| |
| BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] |
| BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] |
| BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline] |
| BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395 |
| Read of size 8 at addr 0000000000000028 by task syz-executor199/2949 |
| |
| CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 |
| Call Trace: |
| <IRQ> |
| __dump_stack lib/dump_stack.c:94 [inline] |
| dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 |
| kasan_report+0xd9/0x110 mm/kasan/report.c:602 |
| check_region_inline mm/kasan/generic.c:183 [inline] |
| kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 |
| instrument_atomic_read include/linux/instrumented.h:68 [inline] |
| _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] |
| is_event_supported drivers/input/input.c:67 [inline] |
| input_event+0x42/0xa0 drivers/input/input.c:395 |
| input_report_key include/linux/input.h:439 [inline] |
| key_down drivers/hid/hid-appleir.c:159 [inline] |
| appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 |
| __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 |
| hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 |
| __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 |
| usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 |
| dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993 |
| __run_hrtimer kernel/time/hrtimer.c:1739 [inline] |
| __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 |
| hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 |
| handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 |
| __do_softirq kernel/softirq.c:595 [inline] |
| invoke_softirq kernel/softirq.c:435 [inline] |
| __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 |
| irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 |
| instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] |
| sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 |
| </IRQ> |
| <TASK> |
| asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 |
| __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185 |
| add_timer+0x62/0x90 kernel/time/timer.c:1295 |
| schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98 |
| usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 |
| usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 |
| hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 |
| vfs_ioctl fs/ioctl.c:51 [inline] |
| __do_sys_ioctl fs/ioctl.c:906 [inline] |
| __se_sys_ioctl fs/ioctl.c:892 [inline] |
| __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 |
| do_syscall_x64 arch/x86/entry/common.c:52 [inline] |
| do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 |
| entry_SYSCALL_64_after_hwframe+0x77/0x7f |
| </TASK> |
| |
| This happens due to the malformed report items sent by the emulated device |
| which results in a report, that has no fields, being added to the report list. |
| Due to this appleir_input_configured() is never called, hidinput_connect() |
| fails which results in the HID_CLAIMED_INPUT flag is not being set. However, |
| it does not make appleir_probe() fail and lets the event callback to be |
| called without the associated input device. |
| |
| Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook |
| early if the driver didn't claim any input_dev for some reason. Moreover, |
| some other hid drivers accessing input_dev in their event callbacks do have |
| similar checks, too. |
| |
| Found by Linux Verification Center (linuxtesting.org) with Syzkaller. |
| |
| The Linux kernel CVE team has assigned CVE-2025-21948 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 3.10 with commit 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e and fixed in 5.4.291 with commit 6db423b00940b05df2a1265d3c7eabafe9f1734c |
| Issue introduced in 3.10 with commit 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e and fixed in 5.10.235 with commit 0df1ac8ee417ad76760ff076faa4518a4d861894 |
| Issue introduced in 3.10 with commit 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e and fixed in 5.15.179 with commit b1d95d733cd6e74f595653daddcfc357bea461e8 |
| Issue introduced in 3.10 with commit 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e and fixed in 6.1.131 with commit 8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee |
| Issue introduced in 3.10 with commit 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e and fixed in 6.6.83 with commit fc69e2c3219d433caabba4b5d6371ba726a4b37f |
| Issue introduced in 3.10 with commit 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e and fixed in 6.12.19 with commit d335fce8b88b2353f4bb20c631698e20384e3610 |
| Issue introduced in 3.10 with commit 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e and fixed in 6.13.7 with commit 68cdf6710f228dfd74f66ec61fbe636da2646a73 |
| Issue introduced in 3.10 with commit 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e and fixed in 6.14 with commit 2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-21948 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/hid/hid-appleir.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/6db423b00940b05df2a1265d3c7eabafe9f1734c |
| https://git.kernel.org/stable/c/0df1ac8ee417ad76760ff076faa4518a4d861894 |
| https://git.kernel.org/stable/c/b1d95d733cd6e74f595653daddcfc357bea461e8 |
| https://git.kernel.org/stable/c/8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee |
| https://git.kernel.org/stable/c/fc69e2c3219d433caabba4b5d6371ba726a4b37f |
| https://git.kernel.org/stable/c/d335fce8b88b2353f4bb20c631698e20384e3610 |
| https://git.kernel.org/stable/c/68cdf6710f228dfd74f66ec61fbe636da2646a73 |
| https://git.kernel.org/stable/c/2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1 |
