ghsa-v45v-87mp-6qrc
Vulnerability from github
Published
2025-09-16 15:32
Modified
2025-09-16 15:32
Details

In the Linux kernel, the following vulnerability has been resolved:

HID: asus: fix UAF via HID_CLAIMED_INPUT validation

After hid_hw_start() is called hidinput_connect() will eventually be called to set up the device with the input layer since the HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect() all input and output reports are processed and corresponding hid_inputs are allocated and configured via hidinput_configure_usages(). This process involves slot tagging report fields and configuring usages by setting relevant bits in the capability bitmaps. However it is possible that the capability bitmaps are not set at all leading to the subsequent hidinput_has_been_populated() check to fail leading to the freeing of the hid_input and the underlying input device.

This becomes problematic because a malicious HID device like a ASUS ROG N-Key keyboard can trigger the above scenario via a specially crafted descriptor which then leads to a user-after-free when the name of the freed input device is written to later on after hid_hw_start(). Below, report 93 intentionally utilises the HID_UP_UNDEFINED Usage Page which is skipped during usage configuration, leading to the frees.

0x05, 0x0D, // Usage Page (Digitizer) 0x09, 0x05, // Usage (Touch Pad) 0xA1, 0x01, // Collection (Application) 0x85, 0x0D, // Report ID (13) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0xC5, // Usage (0xC5) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs) 0x85, 0x5D, // Report ID (93) 0x06, 0x00, 0x00, // Usage Page (Undefined) 0x09, 0x01, // Usage (0x01) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x1B, // Report Count (27) 0x81, 0x02, // Input (Data,Var,Abs) 0xC0, // End Collection

Below is the KASAN splat after triggering the UAF:

[ 21.672709] ================================================================== [ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80 [ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54 [ 21.673700] [ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary) [ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 21.673700] Call Trace: [ 21.673700] [ 21.673700] dump_stack_lvl+0x5f/0x80 [ 21.673700] print_report+0xd1/0x660 [ 21.673700] kasan_report+0xe5/0x120 [ 21.673700] __asan_report_store8_noabort+0x1b/0x30 [ 21.673700] asus_probe+0xeeb/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Allocated by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_alloc_info+0x3b/0x50 [ 21.673700] __kasan_kmalloc+0x9c/0xa0 [ 21.673700] __kmalloc_cache_noprof+0x139/0x340 [ 21.673700] input_allocate_device+0x44/0x370 [ 21.673700] hidinput_connect+0xcb6/0x2630 [ 21.673700] hid_connect+0xf74/0x1d60 [ 21.673700] hid_hw_start+0x8c/0x110 [ 21.673700] asus_probe+0x5a3/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Freed by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_free_info+0x3f/0x60 [ 21.673700] __kasan_slab_free+0x3c/0x50 [ 21.673700] kfre ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39824"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T13:16:01Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: fix UAF via HID_CLAIMED_INPUT validation\n\nAfter hid_hw_start() is called hidinput_connect() will eventually be\ncalled to set up the device with the input layer since the\nHID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()\nall input and output reports are processed and corresponding hid_inputs\nare allocated and configured via hidinput_configure_usages(). This\nprocess involves slot tagging report fields and configuring usages\nby setting relevant bits in the capability bitmaps. However it is possible\nthat the capability bitmaps are not set at all leading to the subsequent\nhidinput_has_been_populated() check to fail leading to the freeing of the\nhid_input and the underlying input device.\n\nThis becomes problematic because a malicious HID device like a\nASUS ROG N-Key keyboard can trigger the above scenario via a\nspecially crafted descriptor which then leads to a user-after-free\nwhen the name of the freed input device is written to later on after\nhid_hw_start(). Below, report 93 intentionally utilises the\nHID_UP_UNDEFINED Usage Page which is skipped during usage\nconfiguration, leading to the frees.\n\n0x05, 0x0D,        // Usage Page (Digitizer)\n0x09, 0x05,        // Usage (Touch Pad)\n0xA1, 0x01,        // Collection (Application)\n0x85, 0x0D,        //   Report ID (13)\n0x06, 0x00, 0xFF,  //   Usage Page (Vendor Defined 0xFF00)\n0x09, 0xC5,        //   Usage (0xC5)\n0x15, 0x00,        //   Logical Minimum (0)\n0x26, 0xFF, 0x00,  //   Logical Maximum (255)\n0x75, 0x08,        //   Report Size (8)\n0x95, 0x04,        //   Report Count (4)\n0xB1, 0x02,        //   Feature (Data,Var,Abs)\n0x85, 0x5D,        //   Report ID (93)\n0x06, 0x00, 0x00,  //   Usage Page (Undefined)\n0x09, 0x01,        //   Usage (0x01)\n0x15, 0x00,        //   Logical Minimum (0)\n0x26, 0xFF, 0x00,  //   Logical Maximum (255)\n0x75, 0x08,        //   Report Size (8)\n0x95, 0x1B,        //   Report Count (27)\n0x81, 0x02,        //   Input (Data,Var,Abs)\n0xC0,              // End Collection\n\nBelow is the KASAN splat after triggering the UAF:\n\n[   21.672709] ==================================================================\n[   21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80\n[   21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54\n[   21.673700]\n[   21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)\n[   21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[   21.673700] Call Trace:\n[   21.673700]  \u003cTASK\u003e\n[   21.673700]  dump_stack_lvl+0x5f/0x80\n[   21.673700]  print_report+0xd1/0x660\n[   21.673700]  kasan_report+0xe5/0x120\n[   21.673700]  __asan_report_store8_noabort+0x1b/0x30\n[   21.673700]  asus_probe+0xeeb/0xf80\n[   21.673700]  hid_device_probe+0x2ee/0x700\n[   21.673700]  really_probe+0x1c6/0x6b0\n[   21.673700]  __driver_probe_device+0x24f/0x310\n[   21.673700]  driver_probe_device+0x4e/0x220\n[...]\n[   21.673700]\n[   21.673700] Allocated by task 54:\n[   21.673700]  kasan_save_stack+0x3d/0x60\n[   21.673700]  kasan_save_track+0x18/0x40\n[   21.673700]  kasan_save_alloc_info+0x3b/0x50\n[   21.673700]  __kasan_kmalloc+0x9c/0xa0\n[   21.673700]  __kmalloc_cache_noprof+0x139/0x340\n[   21.673700]  input_allocate_device+0x44/0x370\n[   21.673700]  hidinput_connect+0xcb6/0x2630\n[   21.673700]  hid_connect+0xf74/0x1d60\n[   21.673700]  hid_hw_start+0x8c/0x110\n[   21.673700]  asus_probe+0x5a3/0xf80\n[   21.673700]  hid_device_probe+0x2ee/0x700\n[   21.673700]  really_probe+0x1c6/0x6b0\n[   21.673700]  __driver_probe_device+0x24f/0x310\n[   21.673700]  driver_probe_device+0x4e/0x220\n[...]\n[   21.673700]\n[   21.673700] Freed by task 54:\n[   21.673700]  kasan_save_stack+0x3d/0x60\n[   21.673700]  kasan_save_track+0x18/0x40\n[   21.673700]  kasan_save_free_info+0x3f/0x60\n[   21.673700]  __kasan_slab_free+0x3c/0x50\n[   21.673700]  kfre\n---truncated---",
  "id": "GHSA-v45v-87mp-6qrc",
  "modified": "2025-09-16T15:32:36Z",
  "published": "2025-09-16T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39824"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f3c0839b173f7f33415eb098331879e547d1d2d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a9e4a8317437bf944fa017c66e1e23a0368b5c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eaae728e7335b5dbad70966e2bd520a731fdf7b2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.