CVE-2025-21948

In the Linux kernel, the following vulnerability has been resolved:

HID: appleir: Fix potential NULL dereference at raw event handle

Syzkaller reports a NULL pointer dereference issue in input_event().

BUG: KASAN: null-ptr-deref in instrumentatomicread include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in testbit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: null-ptr-deref in iseventsupported drivers/input/input.c:67 [inline] BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395 Read of size 8 at addr 0000000000000028 by task syz-executor199/2949

CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 kasanreport+0xd9/0x110 mm/kasan/report.c:602 checkregioninline mm/kasan/generic.c:183 [inline] kasancheckrange+0xef/0x1a0 mm/kasan/generic.c:189 instrumentatomicread include/linux/instrumented.h:68 [inline] _testbit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] iseventsupported drivers/input/input.c:67 [inline] inputevent+0x42/0xa0 drivers/input/input.c:395 inputreportkey include/linux/input.h:439 [inline] keydown drivers/hid/hid-appleir.c:159 [inline] appleirrawevent+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 _hidinputreport.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 hidctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 _usbhcdgivebackurb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 usbhcdgivebackurb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummytimer+0x17f7/0x3960 drivers/usb/gadget/udc/dummyhcd.c:1993 _runhrtimer kernel/time/hrtimer.c:1739 [inline] _hrtimerrunqueues+0x20a/0xae0 kernel/time/hrtimer.c:1803 hrtimerrunsoftirq+0x17d/0x350 kernel/time/hrtimer.c:1820 handlesoftirqs+0x206/0x8d0 kernel/softirq.c:561 _dosoftirq kernel/softirq.c:595 [inline] invokesoftirq kernel/softirq.c:435 [inline] _irqexitrcu+0xfa/0x160 kernel/softirq.c:662 irqexitrcu+0x9/0x30 kernel/softirq.c:678 instrsysvecapictimerinterrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvecapictimerinterrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 </IRQ> <TASK> asmsysvecapictimerinterrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 _modtimer+0x8f6/0xdc0 kernel/time/timer.c:1185 addtimer+0x62/0x90 kernel/time/timer.c:1295 scheduletimeout+0x11f/0x280 kernel/time/sleeptimeout.c:98 usbhidwaitio+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 usbhidinitreports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 hiddevioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:906 [inline] _sesysioctl fs/ioctl.c:892 [inline] _x64sysioctl+0x190/0x200 fs/ioctl.c:892 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x250 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f </TASK>

This happens due to the malformed report items sent by the emulated device which results in a report, that has no fields, being added to the report list. Due to this appleirinputconfigured() is never called, hidinputconnect() fails which results in the HIDCLAIMEDINPUT flag is not being set. However, it does not make appleirprobe() fail and lets the event callback to be called without the associated input device.

Thus, add a check for the HIDCLAIMEDINPUT flag and leave the event hook early if the driver didn't claim any inputdev for some reason. Moreover, some other hid drivers accessing inputdev in their event callbacks do have similar checks, too.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.