AZL-67422

In the Linux kernel, the following vulnerability has been resolved:

HID: asus: fix UAF via HIDCLAIMEDINPUT validation

After hidhwstart() is called hidinputconnect() will eventually be called to set up the device with the input layer since the HIDCONNECTDEFAULT connect mask is used. During hidinputconnect() all input and output reports are processed and corresponding hidinputs are allocated and configured via hidinputconfigureusages(). This process involves slot tagging report fields and configuring usages by setting relevant bits in the capability bitmaps. However it is possible that the capability bitmaps are not set at all leading to the subsequent hidinputhasbeenpopulated() check to fail leading to the freeing of the hid_input and the underlying input device.

This becomes problematic because a malicious HID device like a ASUS ROG N-Key keyboard can trigger the above scenario via a specially crafted descriptor which then leads to a user-after-free when the name of the freed input device is written to later on after hidhwstart(). Below, report 93 intentionally utilises the HIDUPUNDEFINED Usage Page which is skipped during usage configuration, leading to the frees.

0x05, 0x0D, // Usage Page (Digitizer) 0x09, 0x05, // Usage (Touch Pad) 0xA1, 0x01, // Collection (Application) 0x85, 0x0D, // Report ID (13) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0xC5, // Usage (0xC5) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs) 0x85, 0x5D, // Report ID (93) 0x06, 0x00, 0x00, // Usage Page (Undefined) 0x09, 0x01, // Usage (0x01) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x1B, // Report Count (27) 0x81, 0x02, // Input (Data,Var,Abs) 0xC0, // End Collection

Below is the KASAN splat after triggering the UAF:

[ 21.672709] ================================================================== [ 21.673700] BUG: KASAN: slab-use-after-free in asusprobe+0xeeb/0xf80 [ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54 [ 21.673700] [ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary) [ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 21.673700] Call Trace: [ 21.673700] <TASK> [ 21.673700] dumpstacklvl+0x5f/0x80 [ 21.673700] printreport+0xd1/0x660 [ 21.673700] kasan_report+0xe5/0x120 [ 21.673700] __asanreportstore8noabort+0x1b/0x30 [ 21.673700] asusprobe+0xeeb/0xf80 [ 21.673700] hiddeviceprobe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driverprobedevice+0x24f/0x310 [ 21.673700] driverprobedevice+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Allocated by task 54: [ 21.673700] kasansavestack+0x3d/0x60 [ 21.673700] kasansavetrack+0x18/0x40 [ 21.673700] kasansavealloc_info+0x3b/0x50 [ 21.673700] __kasan_kmalloc+0x9c/0xa0 [ 21.673700] __kmalloccachenoprof+0x139/0x340 [ 21.673700] inputallocatedevice+0x44/0x370 [ 21.673700] hidinputconnect+0xcb6/0x2630 [ 21.673700] hidconnect+0xf74/0x1d60 [ 21.673700] hidhwstart+0x8c/0x110 [ 21.673700] asusprobe+0x5a3/0xf80 [ 21.673700] hiddeviceprobe+0x2ee/0x700 [ 21.673700] reallyprobe+0x1c6/0x6b0 [ 21.673700] __driverprobedevice+0x24f/0x310 [ 21.673700] driver_probedevice+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Freed by task 54: [ 21.673700] kasansavestack+0x3d/0x60 [ 21.673700] kasansavetrack+0x18/0x40 [ 21.673700] kasansavefreeinfo+0x3f/0x60 [ 21.673700] __kasanslabfree+0x3c/0x50 [ 21.673700] kfre ---truncated---