fkie_cve-2025-38394
Vulnerability from fkie_nvd
Published
2025-07-25 13:15
Modified
2025-07-25 15:29
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: fix memory corruption of input_handler_list In appletb_kbd_probe an input handler is initialised and then registered with input core through input_register_handler(). When this happens input core will add the input handler (specifically its node) to the global input_handler_list. The input_handler_list is central to the functionality of input core and is traversed in various places in input core. An example of this is when a new input device is plugged in and gets registered with input core. The input_handler in probe is allocated as device managed memory. If a probe failure occurs after input_register_handler() the input_handler memory is freed, yet it will remain in the input_handler_list. This effectively means the input_handler_list contains a dangling pointer to data belonging to a freed input handler. This causes an issue when any other input device is plugged in - in my case I had an old PixArt HP USB optical mouse and I decided to plug it in after a failure occurred after input_register_handler(). This lead to the registration of this input device via input_register_device which involves traversing over every handler in the corrupted input_handler_list and calling input_attach_handler(), giving each handler a chance to bind to newly registered device. The core of this bug is a UAF which causes memory corruption of input_handler_list and to fix it we must ensure the input handler is unregistered from input core, this is done through input_unregister_handler(). [ 63.191597] ================================================================== [ 63.192094] BUG: KASAN: slab-use-after-free in input_attach_handler.isra.0+0x1a9/0x1e0 [ 63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54 [ 63.192094] [ 63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d [ 63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164 [ 63.192094] Workqueue: usb_hub_wq hub_event [ 63.192094] Call Trace: [ 63.192094] <TASK> [ 63.192094] dump_stack_lvl+0x53/0x70 [ 63.192094] print_report+0xce/0x670 [ 63.192094] kasan_report+0xce/0x100 [ 63.192094] input_attach_handler.isra.0+0x1a9/0x1e0 [ 63.192094] input_register_device+0x76c/0xd00 [ 63.192094] hidinput_connect+0x686d/0xad60 [ 63.192094] hid_connect+0xf20/0x1b10 [ 63.192094] hid_hw_start+0x83/0x100 [ 63.192094] hid_device_probe+0x2d1/0x680 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] hid_add_device+0x30b/0x910 [ 63.192094] usbhid_probe+0x920/0xe00 [ 63.192094] usb_probe_interface+0x363/0x9a0 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] usb_set_configuration+0xd14/0x1880 [ 63.192094] usb_generic_driver_probe+0x78/0xb0 [ 63.192094] usb_probe_device+0xaa/0x2e0 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] usb_new_device+0x7b4/0x1000 [ 63.192094] hub_event+0x234d/0x3 ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6ad40b07e15c29712d9a4b8096914ccd82e3fc17
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c80f2b047d5cc42fbd2dff9d1942d4ba7545100f
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix memory corruption of input_handler_list\n\nIn appletb_kbd_probe an input handler is initialised and then registered\nwith input core through input_register_handler(). When this happens input\ncore will add the input handler (specifically its node) to the global\ninput_handler_list. The input_handler_list is central to the functionality\nof input core and is traversed in various places in input core. An example\nof this is when a new input device is plugged in and gets registered with\ninput core.\n\nThe input_handler in probe is allocated as device managed memory. If a\nprobe failure occurs after input_register_handler() the input_handler\nmemory is freed, yet it will remain in the input_handler_list. This\neffectively means the input_handler_list contains a dangling pointer\nto data belonging to a freed input handler.\n\nThis causes an issue when any other input device is plugged in - in my\ncase I had an old PixArt HP USB optical mouse and I decided to\nplug it in after a failure occurred after input_register_handler().\nThis lead to the registration of this input device via\ninput_register_device which involves traversing over every handler\nin the corrupted input_handler_list and calling input_attach_handler(),\ngiving each handler a chance to bind to newly registered device.\n\nThe core of this bug is a UAF which causes memory corruption of\ninput_handler_list and to fix it we must ensure the input handler is\nunregistered from input core, this is done through\ninput_unregister_handler().\n\n[   63.191597] ==================================================================\n[   63.192094] BUG: KASAN: slab-use-after-free in input_attach_handler.isra.0+0x1a9/0x1e0\n[   63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54\n[   63.192094]\n[   63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d\n[   63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164\n[   63.192094] Workqueue: usb_hub_wq hub_event\n[   63.192094] Call Trace:\n[   63.192094]  \u003cTASK\u003e\n[   63.192094]  dump_stack_lvl+0x53/0x70\n[   63.192094]  print_report+0xce/0x670\n[   63.192094]  kasan_report+0xce/0x100\n[   63.192094]  input_attach_handler.isra.0+0x1a9/0x1e0\n[   63.192094]  input_register_device+0x76c/0xd00\n[   63.192094]  hidinput_connect+0x686d/0xad60\n[   63.192094]  hid_connect+0xf20/0x1b10\n[   63.192094]  hid_hw_start+0x83/0x100\n[   63.192094]  hid_device_probe+0x2d1/0x680\n[   63.192094]  really_probe+0x1c3/0x690\n[   63.192094]  __driver_probe_device+0x247/0x300\n[   63.192094]  driver_probe_device+0x49/0x210\n[   63.192094]  __device_attach_driver+0x160/0x320\n[   63.192094]  bus_for_each_drv+0x10f/0x190\n[   63.192094]  __device_attach+0x18e/0x370\n[   63.192094]  bus_probe_device+0x123/0x170\n[   63.192094]  device_add+0xd4d/0x1460\n[   63.192094]  hid_add_device+0x30b/0x910\n[   63.192094]  usbhid_probe+0x920/0xe00\n[   63.192094]  usb_probe_interface+0x363/0x9a0\n[   63.192094]  really_probe+0x1c3/0x690\n[   63.192094]  __driver_probe_device+0x247/0x300\n[   63.192094]  driver_probe_device+0x49/0x210\n[   63.192094]  __device_attach_driver+0x160/0x320\n[   63.192094]  bus_for_each_drv+0x10f/0x190\n[   63.192094]  __device_attach+0x18e/0x370\n[   63.192094]  bus_probe_device+0x123/0x170\n[   63.192094]  device_add+0xd4d/0x1460\n[   63.192094]  usb_set_configuration+0xd14/0x1880\n[   63.192094]  usb_generic_driver_probe+0x78/0xb0\n[   63.192094]  usb_probe_device+0xaa/0x2e0\n[   63.192094]  really_probe+0x1c3/0x690\n[   63.192094]  __driver_probe_device+0x247/0x300\n[   63.192094]  driver_probe_device+0x49/0x210\n[   63.192094]  __device_attach_driver+0x160/0x320\n[   63.192094]  bus_for_each_drv+0x10f/0x190\n[   63.192094]  __device_attach+0x18e/0x370\n[   63.192094]  bus_probe_device+0x123/0x170\n[   63.192094]  device_add+0xd4d/0x1460\n[   63.192094]  usb_new_device+0x7b4/0x1000\n[   63.192094]  hub_event+0x234d/0x3\n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: appletb-kbd: corrige la corrupci\u00f3n de memoria de input_handler_list En appletb_kbd_probe se inicializa un manejador de entrada y luego se registra con el n\u00facleo de entrada a trav\u00e9s de input_register_handler(). Cuando esto sucede, el n\u00facleo de entrada agregar\u00e1 el manejador de entrada (espec\u00edficamente su nodo) a la input_handler_list global. La input_handler_list es central para la funcionalidad del n\u00facleo de entrada y se recorre en varios lugares del n\u00facleo de entrada. Un ejemplo de esto es cuando se conecta un nuevo dispositivo de entrada y se registra con el n\u00facleo de entrada. El input_handler en la sonda se asigna como memoria administrada por el dispositivo. Si ocurre un fallo de la sonda despu\u00e9s de input_register_handler(), la memoria del input_handler se libera, pero permanecer\u00e1 en la input_handler_list. Esto significa efectivamente que la input_handler_list contiene un puntero colgante a los datos que pertenecen a un manejador de entrada liberado. Esto causa un problema al conectar cualquier otro dispositivo de entrada. En mi caso, ten\u00eda un rat\u00f3n \u00f3ptico USB PixArt HP antiguo y decid\u00ed conectarlo tras un fallo despu\u00e9s de la funci\u00f3n input_register_handler(). Esto provoc\u00f3 el registro de este dispositivo de entrada mediante input_register_device, lo que implica recorrer cada controlador de la lista de controladores de entrada corrupta y llamar a input_attach_handler(), lo que permite a cada controlador vincularse al nuevo dispositivo registrado. El problema principal es un UAF que causa corrupci\u00f3n de memoria en la lista de controladores de entrada. Para solucionarlo, debemos asegurarnos de que el controlador de entrada no est\u00e9 registrado en el n\u00facleo de entrada. Esto se realiza mediante input_unregister_handler(). [ 63.191597] ================================================================== [ 63.192094] BUG: KASAN: slab-use-after-free in input_attach_handler.isra.0+0x1a9/0x1e0 [ 63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54 [ 63.192094] [ 63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d [ 63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164 [ 63.192094] Workqueue: usb_hub_wq hub_event [ 63.192094] Call Trace: [ 63.192094]  [ 63.192094] dump_stack_lvl+0x53/0x70 [ 63.192094] print_report+0xce/0x670 [ 63.192094] kasan_report+0xce/0x100 [ 63.192094] input_attach_handler.isra.0+0x1a9/0x1e0 [ 63.192094] input_register_device+0x76c/0xd00 [ 63.192094] hidinput_connect+0x686d/0xad60 [ 63.192094] hid_connect+0xf20/0x1b10 [ 63.192094] hid_hw_start+0x83/0x100 [ 63.192094] hid_device_probe+0x2d1/0x680 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] hid_add_device+0x30b/0x910 [ 63.192094] usbhid_probe+0x920/0xe00 [ 63.192094] usb_probe_interface+0x363/0x9a0 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] usb_set_configuration+0xd14/0x1880 [ 63.192094] usb_generic_driver_probe+0x78/0xb0 [ 63.192094] usb_probe_device+0xaa/0x2e0 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210  ---truncado---"
    }
  ],
  "id": "CVE-2025-38394",
  "lastModified": "2025-07-25T15:29:19.837",
  "metrics": {},
  "published": "2025-07-25T13:15:28.843",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6ad40b07e15c29712d9a4b8096914ccd82e3fc17"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c80f2b047d5cc42fbd2dff9d1942d4ba7545100f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.