CVE-2025-21948

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: appleir: Fix potential NULL dereference at raw event handle<br /> <br /> Syzkaller reports a NULL pointer dereference issue in input_event().<br /> <br /> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]<br /> BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]<br /> BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]<br /> BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395<br /> Read of size 8 at addr 0000000000000028 by task syz-executor199/2949<br /> <br /> CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120<br /> kasan_report+0xd9/0x110 mm/kasan/report.c:602<br /> check_region_inline mm/kasan/generic.c:183 [inline]<br /> kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189<br /> instrument_atomic_read include/linux/instrumented.h:68 [inline]<br /> _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]<br /> is_event_supported drivers/input/input.c:67 [inline]<br /> input_event+0x42/0xa0 drivers/input/input.c:395<br /> input_report_key include/linux/input.h:439 [inline]<br /> key_down drivers/hid/hid-appleir.c:159 [inline]<br /> appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232<br /> __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111<br /> hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484<br /> __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650<br /> usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734<br /> dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993<br /> __run_hrtimer kernel/time/hrtimer.c:1739 [inline]<br /> __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803<br /> hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820<br /> handle_softirqs+0x206/0x8d0 kernel/softirq.c:561<br /> __do_softirq kernel/softirq.c:595 [inline]<br /> invoke_softirq kernel/softirq.c:435 [inline]<br /> __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662<br /> irq_exit_rcu+0x9/0x30 kernel/softirq.c:678<br /> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]<br /> sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702<br /> __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185<br /> add_timer+0x62/0x90 kernel/time/timer.c:1295<br /> schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98<br /> usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645<br /> usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784<br /> hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:906 [inline]<br /> __se_sys_ioctl fs/ioctl.c:892 [inline]<br /> __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> This happens due to the malformed report items sent by the emulated device<br /> which results in a report, that has no fields, being added to the report list.<br /> Due to this appleir_input_configured() is never called, hidinput_connect()<br /> fails which results in the HID_CLAIMED_INPUT flag is not being set. However,<br /> it does not make appleir_probe() fail and lets the event callback to be<br /> called without the associated input device.<br /> <br /> Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook<br /> early if the driver didn&amp;#39;t claim any input_dev for some reason. Moreover,<br /> some other hid drivers accessing input_dev in their event callbacks do have<br /> similar checks, too.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.