Linux Kernel: hid: NULL pointer dereference in hid_betopff_play()

[Pietro Borrello <borrello () diag uniroma1 it>]

Hi all,

I'm disclosing a possible DoS when plugging in a malicious USB device,
which advertises itself as a betop USB device.

A device driver must check that the device correctly registered the
expected inputs and reports.
Otherwise, a malicious USB device may violate assumptions throughout
the driver's code.

betopff_init() in the betop driver's code only checks that the device advertises
at least 4 report values among all its fields, but hid_betopff_play() expects
at least 4 report fields with a value each.
A device advertising an output report with one field and 4 report values
would pass the check but crash the kernel with a NULL pointer dereference
in hid_betopff_play(), when accessing `betopff->report->field[2]->value[0]`.

Best regards,
Pietro Borrello