[PATCH] HID: hidpp: fix potential UAF in hidpp_connect_event()

Next message: Linus Walleij: "Re: [PATCH RFC 0/2] pinctrl: Add support gpiod_to_irq"
Previous message: Harry Yoo: "Re: [PATCH for-next v3 1/9] slub_kunit: fall back to SW perf events when HW PMU is not available"
In reply to: Jiri Kosina: "[PATCH] HID: hidpp: fix potential UAF in hidpp_connect_event()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Mon Jun 15 2026 - 08:59:49 EST

From: Jiri Kosina <jkosina@xxxxxxxx>

If input_register_device() fails, we call input_free_device(), but keep
stale pointer to the old device in hidpp->input, which could potentially
lead to UAF. Fix that by resetting it to NULL before returning from
hidpp_connect_event().

Reported-by: zdi-disclosures@xxxxxxxxxxxxxx
Signed-off-by: Jiri Kosina <jkosina@xxxxxxxx>
---

v1->v2: set hidpp->input to NULL before freeing the device to avoid race
as reported by Sashiko

drivers/hid/hid-logitech-hidpp.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index ccbf28869a96..d8e86b6ccf37 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -4295,6 +4295,7 @@ static void hidpp_connect_event(struct work_struct *work)

ret = input_register_device(input);
if (ret) {
+ hidpp->input = NULL;
input_free_device(input);
return;
}
--
Jiri Kosina
SUSE Labs