CVE-2025-38557

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: apple: validate feature-report field count to prevent NULL pointer dereference<br /> <br /> A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL<br /> pointer dereference whilst the power feature-report is toggled and sent to<br /> the device in apple_magic_backlight_report_set(). The power feature-report<br /> is expected to have two data fields, but if the descriptor declares one<br /> field then accessing field[1] and dereferencing it in<br /> apple_magic_backlight_report_set() becomes invalid<br /> since field[1] will be NULL.<br /> <br /> An example of a minimal descriptor which can cause the crash is something<br /> like the following where the report with ID 3 (power report) only<br /> references a single 1-byte field. When hid core parses the descriptor it<br /> will encounter the final feature tag, allocate a hid_report (all members<br /> of field[] will be zeroed out), create field structure and populate it,<br /> increasing the maxfield to 1. The subsequent field[1] access and<br /> dereference causes the crash.<br /> <br /> Usage Page (Vendor Defined 0xFF00)<br /> Usage (0x0F)<br /> Collection (Application)<br /> Report ID (1)<br /> Usage (0x01)<br /> Logical Minimum (0)<br /> Logical Maximum (255)<br /> Report Size (8)<br /> Report Count (1)<br /> Feature (Data,Var,Abs)<br /> <br /> Usage (0x02)<br /> Logical Maximum (32767)<br /> Report Size (16)<br /> Report Count (1)<br /> Feature (Data,Var,Abs)<br /> <br /> Report ID (3)<br /> Usage (0x03)<br /> Logical Minimum (0)<br /> Logical Maximum (1)<br /> Report Size (8)<br /> Report Count (1)<br /> Feature (Data,Var,Abs)<br /> End Collection<br /> <br /> Here we see the KASAN splat when the kernel dereferences the<br /> NULL pointer and crashes:<br /> <br /> [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI<br /> [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)<br /> [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210<br /> [ 15.165691] Call Trace:<br /> [ 15.165691] <br /> [ 15.165691] apple_probe+0x571/0xa20<br /> [ 15.165691] hid_device_probe+0x2e2/0x6f0<br /> [ 15.165691] really_probe+0x1ca/0x5c0<br /> [ 15.165691] __driver_probe_device+0x24f/0x310<br /> [ 15.165691] driver_probe_device+0x4a/0xd0<br /> [ 15.165691] __device_attach_driver+0x169/0x220<br /> [ 15.165691] bus_for_each_drv+0x118/0x1b0<br /> [ 15.165691] __device_attach+0x1d5/0x380<br /> [ 15.165691] device_initial_probe+0x12/0x20<br /> [ 15.165691] bus_probe_device+0x13d/0x180<br /> [ 15.165691] device_add+0xd87/0x1510<br /> [...]<br /> <br /> To fix this issue we should validate the number of fields that the<br /> backlight and power reports have and if they do not have the required<br /> number of fields then bail.