[PATCH] HID: usbhid: sanitize hid->uniq against non-printable bytes

Next message: Hari Haran: "[PATCH] staging: rtl8723bs: fix alignment issue in rtw_xmit.c"
Previous message: Jassi Brar: "Re: [PATCH v3 2/2] mailbox: Make mbox_send_message() return error code when tx fails"
Next in thread: Greg KH: "Re: [PATCH] HID: usbhid: sanitize hid-&gt;uniq against non-printable bytes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Taylor Hewetson

Date: Fri Apr 17 2026 - 22:58:38 EST

Some USB HID devices (observed on ASUS ROG Azoth via its 2.4GHz
dongle, USB ID 0b05:1a85) report an iSerialNumber string whose
USB string descriptor declares a longer length than the actual
serial, leaving uninitialized firmware memory - including control
characters such as 0x18 - appended to the returned string.

These non-printable bytes propagate into hid->uniq, which in turn
populates /sys/class/input/inputN/uniq. Downstream userspace
components (systemd sd-device property_is_valid(), and by extension
mutter input enumeration on GNOME Wayland sessions) reject devices
with control characters in their uniq, rendering otherwise-
functional input devices unusable in graphical sessions despite
the kernel input layer correctly translating keypresses.

Truncate hid->uniq at the first byte outside the printable ASCII
range (0x20..0x7e) after the serial is read.

Signed-off-by: Taylor Hewetson <taylor@exponent.digital>
---
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1427,8 +1427,17 @@
snprintf(hid->phys + len, sizeof(hid->phys) - len,
"%d", intf->altsetting[0].desc.bInterfaceNumber);

- if (usb_string(dev, dev->descriptor.iSerialNumber, hid->uniq, 64) <= 0)
+ if (usb_string(dev, dev->descriptor.iSerialNumber, hid->uniq, 64) <= 0) {
hid->uniq[0] = 0;
+ } else {
+ size_t i;
+ for (i = 0; i < sizeof(hid->uniq) && hid->uniq[i]; i++) {
+ if (hid->uniq[i] < 0x20 || hid->uniq[i] > 0x7e) {
+ hid->uniq[i] = 0;
+ break;
+ }
+ }
+ }

usbhid = kzalloc(sizeof(*usbhid), GFP_KERNEL);
if (usbhid == NULL) {