oss-sec mailing list archives
Linux Kernel: hid: NULL pointer dereference in hid_betopff_play()
From: Pietro Borrello <borrello () diag uniroma1 it>
Date: Wed, 18 Jan 2023 16:20:51 +0100
Hi all, I'm disclosing a possible DoS when plugging in a malicious USB device, which advertises itself as a betop USB device. A device driver must check that the device correctly registered the expected inputs and reports. Otherwise, a malicious USB device may violate assumptions throughout the driver's code. betopff_init() in the betop driver's code only checks that the device advertises at least 4 report values among all its fields, but hid_betopff_play() expects at least 4 report fields with a value each. A device advertising an output report with one field and 4 report values would pass the check but crash the kernel with a NULL pointer dereference in hid_betopff_play(), when accessing `betopff->report->field[2]->value[0]`. Best regards, Pietro Borrello
Current thread:
- Linux Kernel: hid: NULL pointer dereference in hid_betopff_play() Pietro Borrello (Jan 18)