CVE-2025-38557 (GCVE-0-2025-38557)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-08-19 17:02
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: HID: apple: validate feature-report field count to prevent NULL pointer dereference A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL pointer dereference whilst the power feature-report is toggled and sent to the device in apple_magic_backlight_report_set(). The power feature-report is expected to have two data fields, but if the descriptor declares one field then accessing field[1] and dereferencing it in apple_magic_backlight_report_set() becomes invalid since field[1] will be NULL. An example of a minimal descriptor which can cause the crash is something like the following where the report with ID 3 (power report) only references a single 1-byte field. When hid core parses the descriptor it will encounter the final feature tag, allocate a hid_report (all members of field[] will be zeroed out), create field structure and populate it, increasing the maxfield to 1. The subsequent field[1] access and dereference causes the crash. Usage Page (Vendor Defined 0xFF00) Usage (0x0F) Collection (Application) Report ID (1) Usage (0x01) Logical Minimum (0) Logical Maximum (255) Report Size (8) Report Count (1) Feature (Data,Var,Abs) Usage (0x02) Logical Maximum (32767) Report Size (16) Report Count (1) Feature (Data,Var,Abs) Report ID (3) Usage (0x03) Logical Minimum (0) Logical Maximum (1) Report Size (8) Report Count (1) Feature (Data,Var,Abs) End Collection Here we see the KASAN splat when the kernel dereferences the NULL pointer and crashes: [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary) [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210 [ 15.165691] Call Trace: [ 15.165691] <TASK> [ 15.165691] apple_probe+0x571/0xa20 [ 15.165691] hid_device_probe+0x2e2/0x6f0 [ 15.165691] really_probe+0x1ca/0x5c0 [ 15.165691] __driver_probe_device+0x24f/0x310 [ 15.165691] driver_probe_device+0x4a/0xd0 [ 15.165691] __device_attach_driver+0x169/0x220 [ 15.165691] bus_for_each_drv+0x118/0x1b0 [ 15.165691] __device_attach+0x1d5/0x380 [ 15.165691] device_initial_probe+0x12/0x20 [ 15.165691] bus_probe_device+0x13d/0x180 [ 15.165691] device_add+0xd87/0x1510 [...] To fix this issue we should validate the number of fields that the backlight and power reports have and if they do not have the required number of fields then bail.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/00896c3f41cb6b74fec853386076115ba50baf0a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1bb3363da862e0464ec050eea2fb5472a36ad86b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7e15d1eaa88179c5185e57a38ab05fe852d0cb8d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ba08cc6801ec5fb98f2d02b5f0c614c931845325
Impacted products
Vendor Product Version
Linux Linux Version: 394ba612f9419ec5bfebbffb72212fd3b2094986
Version: 394ba612f9419ec5bfebbffb72212fd3b2094986
Version: 394ba612f9419ec5bfebbffb72212fd3b2094986
Version: 394ba612f9419ec5bfebbffb72212fd3b2094986
 Create a notification for this product.
   Linux Linux Version: 6.11
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-apple.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ba08cc6801ec5fb98f2d02b5f0c614c931845325",
              "status": "affected",
              "version": "394ba612f9419ec5bfebbffb72212fd3b2094986",
              "versionType": "git"
            },
            {
              "lessThan": "7e15d1eaa88179c5185e57a38ab05fe852d0cb8d",
              "status": "affected",
              "version": "394ba612f9419ec5bfebbffb72212fd3b2094986",
              "versionType": "git"
            },
            {
              "lessThan": "00896c3f41cb6b74fec853386076115ba50baf0a",
              "status": "affected",
              "version": "394ba612f9419ec5bfebbffb72212fd3b2094986",
              "versionType": "git"
            },
            {
              "lessThan": "1bb3363da862e0464ec050eea2fb5472a36ad86b",
              "status": "affected",
              "version": "394ba612f9419ec5bfebbffb72212fd3b2094986",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-apple.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17-rc1",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: apple: validate feature-report field count to prevent NULL pointer dereference\n\nA malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL\npointer dereference whilst the power feature-report is toggled and sent to\nthe device in apple_magic_backlight_report_set(). The power feature-report\nis expected to have two data fields, but if the descriptor declares one\nfield then accessing field[1] and dereferencing it in\napple_magic_backlight_report_set() becomes invalid\nsince field[1] will be NULL.\n\nAn example of a minimal descriptor which can cause the crash is something\nlike the following where the report with ID 3 (power report) only\nreferences a single 1-byte field. When hid core parses the descriptor it\nwill encounter the final feature tag, allocate a hid_report (all members\nof field[] will be zeroed out), create field structure and populate it,\nincreasing the maxfield to 1. The subsequent field[1] access and\ndereference causes the crash.\n\n  Usage Page (Vendor Defined 0xFF00)\n  Usage (0x0F)\n  Collection (Application)\n    Report ID (1)\n    Usage (0x01)\n    Logical Minimum (0)\n    Logical Maximum (255)\n    Report Size (8)\n    Report Count (1)\n    Feature (Data,Var,Abs)\n\n    Usage (0x02)\n    Logical Maximum (32767)\n    Report Size (16)\n    Report Count (1)\n    Feature (Data,Var,Abs)\n\n    Report ID (3)\n    Usage (0x03)\n    Logical Minimum (0)\n    Logical Maximum (1)\n    Report Size (8)\n    Report Count (1)\n    Feature (Data,Var,Abs)\n  End Collection\n\nHere we see the KASAN splat when the kernel dereferences the\nNULL pointer and crashes:\n\n  [   15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI\n  [   15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n  [   15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)\n  [   15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n  [   15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210\n  [   15.165691] Call Trace:\n  [   15.165691]  \u003cTASK\u003e\n  [   15.165691]  apple_probe+0x571/0xa20\n  [   15.165691]  hid_device_probe+0x2e2/0x6f0\n  [   15.165691]  really_probe+0x1ca/0x5c0\n  [   15.165691]  __driver_probe_device+0x24f/0x310\n  [   15.165691]  driver_probe_device+0x4a/0xd0\n  [   15.165691]  __device_attach_driver+0x169/0x220\n  [   15.165691]  bus_for_each_drv+0x118/0x1b0\n  [   15.165691]  __device_attach+0x1d5/0x380\n  [   15.165691]  device_initial_probe+0x12/0x20\n  [   15.165691]  bus_probe_device+0x13d/0x180\n  [   15.165691]  device_add+0xd87/0x1510\n  [...]\n\nTo fix this issue we should validate the number of fields that the\nbacklight and power reports have and if they do not have the required\nnumber of fields then bail."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-19T17:02:35.641Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ba08cc6801ec5fb98f2d02b5f0c614c931845325"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e15d1eaa88179c5185e57a38ab05fe852d0cb8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/00896c3f41cb6b74fec853386076115ba50baf0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bb3363da862e0464ec050eea2fb5472a36ad86b"
        }
      ],
      "title": "HID: apple: validate feature-report field count to prevent NULL pointer dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38557",
    "datePublished": "2025-08-19T17:02:35.641Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2025-08-19T17:02:35.641Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38557\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-19T17:15:31.960\",\"lastModified\":\"2025-08-20T14:40:17.713\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: apple: validate feature-report field count to prevent NULL pointer dereference\\n\\nA malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL\\npointer dereference whilst the power feature-report is toggled and sent to\\nthe device in apple_magic_backlight_report_set(). The power feature-report\\nis expected to have two data fields, but if the descriptor declares one\\nfield then accessing field[1] and dereferencing it in\\napple_magic_backlight_report_set() becomes invalid\\nsince field[1] will be NULL.\\n\\nAn example of a minimal descriptor which can cause the crash is something\\nlike the following where the report with ID 3 (power report) only\\nreferences a single 1-byte field. When hid core parses the descriptor it\\nwill encounter the final feature tag, allocate a hid_report (all members\\nof field[] will be zeroed out), create field structure and populate it,\\nincreasing the maxfield to 1. The subsequent field[1] access and\\ndereference causes the crash.\\n\\n  Usage Page (Vendor Defined 0xFF00)\\n  Usage (0x0F)\\n  Collection (Application)\\n    Report ID (1)\\n    Usage (0x01)\\n    Logical Minimum (0)\\n    Logical Maximum (255)\\n    Report Size (8)\\n    Report Count (1)\\n    Feature (Data,Var,Abs)\\n\\n    Usage (0x02)\\n    Logical Maximum (32767)\\n    Report Size (16)\\n    Report Count (1)\\n    Feature (Data,Var,Abs)\\n\\n    Report ID (3)\\n    Usage (0x03)\\n    Logical Minimum (0)\\n    Logical Maximum (1)\\n    Report Size (8)\\n    Report Count (1)\\n    Feature (Data,Var,Abs)\\n  End Collection\\n\\nHere we see the KASAN splat when the kernel dereferences the\\nNULL pointer and crashes:\\n\\n  [   15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI\\n  [   15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\\n  [   15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)\\n  [   15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\\n  [   15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210\\n  [   15.165691] Call Trace:\\n  [   15.165691]  \u003cTASK\u003e\\n  [   15.165691]  apple_probe+0x571/0xa20\\n  [   15.165691]  hid_device_probe+0x2e2/0x6f0\\n  [   15.165691]  really_probe+0x1ca/0x5c0\\n  [   15.165691]  __driver_probe_device+0x24f/0x310\\n  [   15.165691]  driver_probe_device+0x4a/0xd0\\n  [   15.165691]  __device_attach_driver+0x169/0x220\\n  [   15.165691]  bus_for_each_drv+0x118/0x1b0\\n  [   15.165691]  __device_attach+0x1d5/0x380\\n  [   15.165691]  device_initial_probe+0x12/0x20\\n  [   15.165691]  bus_probe_device+0x13d/0x180\\n  [   15.165691]  device_add+0xd87/0x1510\\n  [...]\\n\\nTo fix this issue we should validate the number of fields that the\\nbacklight and power reports have and if they do not have the required\\nnumber of fields then bail.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: apple: validar el recuento de campos del informe de caracter\u00edsticas para evitar la desreferencia de puntero NULL. Un dispositivo HID malicioso con la peculiaridad APPLE_MAGIC_BACKLIGHT puede activar una desreferencia de puntero NULL mientras el informe de caracter\u00edsticas de potencia se conmuta y se env\u00eda al dispositivo en apple_magic_backlight_report_set(). Se espera que el informe de caracter\u00edsticas de potencia tenga dos campos de datos, pero si el descriptor declara un campo, entonces acceder a field[1] y desreferenciarlo en apple_magic_backlight_report_set() se vuelve inv\u00e1lido ya que field[1] ser\u00e1 NULL. Un ejemplo de un descriptor m\u00ednimo que puede causar el bloqueo es algo como lo siguiente, donde el informe con ID 3 (informe de potencia) solo hace referencia a un \u00fanico campo de 1 byte. Cuando el n\u00facleo hid analiza el descriptor, encontrar\u00e1 la etiqueta de caracter\u00edstica final, asignar\u00e1 un hid_report (todos los miembros de field[] se pondr\u00e1n a cero), crear\u00e1 una estructura de campo y la completar\u00e1, aumentando el maxfield a 1. El acceso y la desreferencia a field[1] posteriores provocan el bloqueo. P\u00e1gina de uso (definida por el proveedor 0xFF00) Uso (0x0F) Recopilaci\u00f3n (aplicaci\u00f3n) ID de informe (1) Uso (0x01) M\u00ednimo l\u00f3gico (0) M\u00e1ximo l\u00f3gico (255) Tama\u00f1o de informe (8) Cantidad de informes (1) Caracter\u00edstica (datos, variables, abs) Uso (0x02) M\u00e1ximo l\u00f3gico (32767) Tama\u00f1o de informe (16) Cantidad de informes (1) Caracter\u00edstica (datos, variables, abs) ID de informe (3) Uso (0x03) M\u00ednimo l\u00f3gico (0) M\u00e1ximo l\u00f3gico (1) Tama\u00f1o de informe (8) Cantidad de informes (1) Caracter\u00edstica (datos, variables, abs) Fin de recopilaci\u00f3n Aqu\u00ed vemos el splat de KASAN cuando el n\u00facleo desreferencia el puntero NULL y se bloquea: [ 15.164723] Ups: fallo de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI [ 15.165691] KASAN: null-ptr-deref en el rango [0x0000000000000030-0x0000000000000037] [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 No contaminado 6.15.0 #31 PREEMPT(voluntario) [ 15.165691] Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 01/04/2014 [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210 [ 15.165691] Rastreo de llamadas: [ 15.165691]  [ 15.165691] apple_probe+0x571/0xa20 [ 15.165691] hid_device_probe+0x2e2/0x6f0 [ 15.165691] really_probe+0x1ca/0x5c0 [ 15.165691] __driver_probe_device+0x24f/0x310 [ 15.165691] driver_probe_device+0x4a/0xd0 [ 15.165691] __device_attach_driver+0x169/0x220 [ 15.165691] bus_for_each_drv+0x118/0x1b0 [ 15.165691] __device_attach+0x1d5/0x380 [ 15.165691] device_initial_probe+0x12/0x20 [ 15.165691] bus_probe_device+0x13d/0x180 [ 15.165691] device_add+0xd87/0x1510 [...] Para solucionar este problema debemos validar el n\u00famero de campos que tienen los reportes de retroiluminaci\u00f3n y energ\u00eda y si no tienen el n\u00famero de campos requerido entonces abandonar.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/00896c3f41cb6b74fec853386076115ba50baf0a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1bb3363da862e0464ec050eea2fb5472a36ad86b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7e15d1eaa88179c5185e57a38ab05fe852d0cb8d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ba08cc6801ec5fb98f2d02b5f0c614c931845325\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.