[PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv

Next message: Tristan Madani: "[PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read"
Previous message: l1za0 . sec: "[PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: l1za0 . sec

Date: Tue Apr 21 2026 - 09:52:59 EST

From: Haocheng Yu <l1za0.sec@xxxxxxxxx>

A general protection fault in u2fzero_recv is reported by a
modified Syzkaller-based kernel fuzzing tool we developed.

The cause is that u2fzero_probe() calls the u2fzero_fill_in_urb()
function but ignores its return value. When the urb setting fails,
dev->urb remains NULL, but u2fzero_probe() continues to run. When
`dev->urb->context = &ctx;` in u2fzero_recv() is executed, the
KASAN null pointer dereference crash will occur.

To fix this vulnerability, I added a check for the return value of
u2fzero_fill_in_urb() and aborted u2fzero_probe() on error. And I
added a NULL value check for dev->urb in u2fzero_recv() to further
ensure its integrity.

Signed-off-by: Haocheng Yu <l1za0.sec@xxxxxxxxx>
---
drivers/hid/hid-u2fzero.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index 744a91e6e78c..c51f6dd80635 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -134,6 +134,12 @@ static int u2fzero_recv(struct u2fzero_device *dev,

memcpy(dev->buf_out, req, sizeof(struct u2f_hid_report));

+ if (!dev->urb) {
+ hid_err(hdev, "recv called without initialized URB");
+ ret = -ENODEV;
+ goto err;
+ }
+
dev->urb->context = &ctx;
init_completion(&ctx.done);

@@ -341,7 +347,11 @@ static int u2fzero_probe(struct hid_device *hdev,
if (ret)
return ret;

- u2fzero_fill_in_urb(dev);
+ ret = u2fzero_fill_in_urb(dev);
+ if (ret) {
+ hid_hw_stop(hdev);
+ return ret;
+ }

dev->present = true;

base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
--
2.51.0