On Thu, Jul 03, 2025 at 09:38:27AM +0200, Jiri Kosina wrote:
On Fri, 27 Jun 2025, Qasim Ijaz wrote:
In appletb_kbd_probe an input handler is initialised and then registered with input core through input_register_handler(). When this happens input core will add the input handler (specifically its node) to the global input_handler_list. The input_handler_list is central to the functionality of input core and is traversed in various places in input core. An example of this is when a new input device is plugged in and gets registered with input core.
The input_handler in probe is allocated as device managed memory. If a probe failure occurs after input_register_handler() the input_handler memory is freed, yet it will remain in the input_handler_list. This effectively means the input_handler_list contains a dangling pointer to data belonging to a freed input handler.
This causes an issue when any other input device is plugged in - in my case I had an old PixArt HP USB optical mouse and I decided to plug it in after a failure occurred after input_register_handler(). This lead to the registration of this input device via input_register_device which involves traversing over every handler in the corrupted input_handler_list and calling input_attach_handler(), giving each handler a chance to bind to newly registered device.
The core of this bug is a UAF which causes memory corruption of input_handler_list and to fix it we must ensure the input handler is unregistered from input core, this is done through input_unregister_handler().
Applied to hid.git#for-6.16/upstream-fixes, thanks!
Thanks Jiri, would it also be possible to apply this one too: https://lore.kernel.org/all/20250624125256.20473-1-qasdev00@gmail.com/
Its a bug fix I sent before this a while back but I think it may have been buried deep down in your inbox causing you to miss it.
Thanks, Qasim
-- Jiri Kosina SUSE Labs