{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21948", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.790Z", "datePublished": "2025-04-01T15:41:09.949Z", "dateUpdated": "2025-05-04T07:25:28.175Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:25:28.175Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appleir: Fix potential NULL dereference at raw event handle\n\nSyzkaller reports a NULL pointer dereference issue in input_event().\n\nBUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]\nBUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]\nBUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395\nRead of size 8 at addr 0000000000000028 by task syz-executor199/2949\n\nCPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n <IRQ>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n kasan_report+0xd9/0x110 mm/kasan/report.c:602\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n instrument_atomic_read include/linux/instrumented.h:68 [inline]\n _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n is_event_supported drivers/input/input.c:67 [inline]\n input_event+0x42/0xa0 drivers/input/input.c:395\n input_report_key include/linux/input.h:439 [inline]\n key_down drivers/hid/hid-appleir.c:159 [inline]\n appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232\n __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111\n hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484\n __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650\n usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734\n dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993\n __run_hrtimer kernel/time/hrtimer.c:1739 [inline]\n __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803\n hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820\n handle_softirqs+0x206/0x8d0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185\n add_timer+0x62/0x90 kernel/time/timer.c:1295\n schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98\n usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645\n usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784\n hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nThis happens due to the malformed report items sent by the emulated device\nwhich results in a report, that has no fields, being added to the report list.\nDue to this appleir_input_configured() is never called, hidinput_connect()\nfails which results in the HID_CLAIMED_INPUT flag is not being set. However,\nit does not make appleir_probe() fail and lets the event callback to be\ncalled without the associated input device.\n\nThus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook\nearly if the driver didn't claim any input_dev for some reason. Moreover,\nsome other hid drivers accessing input_dev in their event callbacks do have\nsimilar checks, too.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/hid-appleir.c"], "versions": [{"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e", "lessThan": "6db423b00940b05df2a1265d3c7eabafe9f1734c", "status": "affected", "versionType": "git"}, {"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e", "lessThan": "0df1ac8ee417ad76760ff076faa4518a4d861894", "status": "affected", "versionType": "git"}, {"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e", "lessThan": "b1d95d733cd6e74f595653daddcfc357bea461e8", "status": "affected", "versionType": "git"}, {"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e", "lessThan": "8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee", "status": "affected", "versionType": "git"}, {"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e", "lessThan": "fc69e2c3219d433caabba4b5d6371ba726a4b37f", "status": "affected", "versionType": "git"}, {"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e", "lessThan": "d335fce8b88b2353f4bb20c631698e20384e3610", "status": "affected", "versionType": "git"}, {"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e", "lessThan": "68cdf6710f228dfd74f66ec61fbe636da2646a73", "status": "affected", "versionType": "git"}, {"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e", "lessThan": "2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/hid-appleir.c"], "versions": [{"version": "3.10", "status": "affected"}, {"version": "0", "lessThan": "3.10", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.291", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.235", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.179", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.131", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.83", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.19", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.7", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "5.4.291"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "5.10.235"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "5.15.179"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.1.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.6.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.12.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.13.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6db423b00940b05df2a1265d3c7eabafe9f1734c"}, {"url": "https://git.kernel.org/stable/c/0df1ac8ee417ad76760ff076faa4518a4d861894"}, {"url": "https://git.kernel.org/stable/c/b1d95d733cd6e74f595653daddcfc357bea461e8"}, {"url": "https://git.kernel.org/stable/c/8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee"}, {"url": "https://git.kernel.org/stable/c/fc69e2c3219d433caabba4b5d6371ba726a4b37f"}, {"url": "https://git.kernel.org/stable/c/d335fce8b88b2353f4bb20c631698e20384e3610"}, {"url": "https://git.kernel.org/stable/c/68cdf6710f228dfd74f66ec61fbe636da2646a73"}, {"url": "https://git.kernel.org/stable/c/2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1"}], "title": "HID: appleir: Fix potential NULL dereference at raw event handle", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0ACA7A2C-C4C2-4035-B2FD-0D544B71CC80", "versionEndExcluding": "5.4.291", "versionStartIncluding": "3.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "545121FA-DE31-4154-9446-C2000FB4104D", "versionEndExcluding": "5.10.235", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C708062C-4E1B-465F-AE6D-C09C46400875", "versionEndExcluding": "5.15.179", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA9C2DE3-D37C-46C6-8DCD-2EE509456E0B", "versionEndExcluding": "6.1.131", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D9F642F-6E05-4926-B0FE-62F95B7266BC", "versionEndExcluding": "6.6.83", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "32865E5C-8AE1-4D3D-A64D-299039694A88", "versionEndExcluding": "6.12.19", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "842F5A44-3E71-4546-B4FD-43B0ACE3F32B", "versionEndExcluding": "6.13.7", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appleir: Fix potential NULL dereference at raw event handle\n\nSyzkaller reports a NULL pointer dereference issue in input_event().\n\nBUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]\nBUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]\nBUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395\nRead of size 8 at addr 0000000000000028 by task syz-executor199/2949\n\nCPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n <IRQ>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n kasan_report+0xd9/0x110 mm/kasan/report.c:602\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n instrument_atomic_read include/linux/instrumented.h:68 [inline]\n _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n is_event_supported drivers/input/input.c:67 [inline]\n input_event+0x42/0xa0 drivers/input/input.c:395\n input_report_key include/linux/input.h:439 [inline]\n key_down drivers/hid/hid-appleir.c:159 [inline]\n appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232\n __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111\n hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484\n __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650\n usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734\n dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993\n __run_hrtimer kernel/time/hrtimer.c:1739 [inline]\n __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803\n hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820\n handle_softirqs+0x206/0x8d0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185\n add_timer+0x62/0x90 kernel/time/timer.c:1295\n schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98\n usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645\n usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784\n hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nThis happens due to the malformed report items sent by the emulated device\nwhich results in a report, that has no fields, being added to the report list.\nDue to this appleir_input_configured() is never called, hidinput_connect()\nfails which results in the HID_CLAIMED_INPUT flag is not being set. However,\nit does not make appleir_probe() fail and lets the event callback to be\ncalled without the associated input device.\n\nThus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook\nearly if the driver didn't claim any input_dev for some reason. Moreover,\nsome other hid drivers accessing input_dev in their event callbacks do have\nsimilar checks, too.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: appleir: Se corrige una posible desreferencia de puntero NULL en el identificador de evento sin procesar Syzkaller informa un problema de desreferencia de puntero NULL en input_event(). ERROR: KASAN: null-ptr-deref en instrument_atomic_read include/linux/instrumented.h:68 [en l\u00ednea] ERROR: KASAN: null-ptr-deref en _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [en l\u00ednea] ERROR: KASAN: null-ptr-deref en is_event_supported drivers/input/input.c:67 [en l\u00ednea] ERROR: KASAN: null-ptr-deref en input_event+0x42/0xa0 drivers/input/input.c:395 Lectura de tama\u00f1o 8 en la direcci\u00f3n 0000000000000028 por la tarea syz-executor199/2949 CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 No contaminado 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 13/09/2024 Rastreo de llamadas: __dump_stack lib/dump_stack.c:94 [en l\u00ednea] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 kasan_report+0xd9/0x110 mm/kasan/report.c:602 check_region_inline mm/kasan/generic.c:183 [en l\u00ednea] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [en l\u00ednea] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [en l\u00ednea] es_evento_compatible drivers/input/input.c:67 [en l\u00ednea] evento_entrada+0x42/0xa0 drivers/input/input.c:395 clave_informe_entrada include/linux/input.h:439 [en l\u00ednea] tecla_abajo drivers/hid/hid-appleir.c:159 [en l\u00ednea] evento_sin_usar_appleir+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 __usb_hcd_giveback_urb+0x389/0x6e0 controladores/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 controladores/usb/core/hcd.c:1734 temporizador ficticio+0x17f7/0x3960 controladores/usb/gadget/udc/dummy_hcd.c:1993 __run_hrtimer kernel/time/hrtimer.c:1739 [en l\u00ednea] __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [en l\u00ednea] invocar_softirq kernel/softirq.c:435 [en l\u00ednea] __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [en l\u00ednea] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185 add_timer+0x62/0x90 kernel/time/timer.c:1295 schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98 usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 vfs_ioctl fs/ioctl.c:51 [en l\u00ednea] Esto sucede debido a los elementos de informe mal formados enviados por el dispositivo emulado, lo que da como resultado que se agregue a la lista de informes un informe que no tiene campos. Debido a que appleir_input_configured() nunca se llama, hidinput_connect() falla, lo que provoca que no se configure el indicador HID_CLAIMED_INPUT. Sin embargo, esto no provoca el fallo de appleir_probe() y permite que la devoluci\u00f3n de llamada del evento se llame sin el dispositivo de entrada asociado. Por lo tanto, se debe a\u00f1adir una comprobaci\u00f3n para el indicador HID_CLAIMED_INPUT y abandonar el gancho de evento antes de tiempo si el controlador no solicit\u00f3 ning\u00fan input_dev por alguna raz\u00f3n. Adem\u00e1s, otros controladores HID que acceden a input_dev en sus devoluciones de llamada de evento tambi\u00e9n tienen comprobaciones similares. Encontrado por el Centro de Verificaci\u00f3n de Linux (linuxtesting.org) con Syzkaller."}], "id": "CVE-2025-21948", "lastModified": "2025-04-11T13:11:16.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-01T16:15:25.933", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0df1ac8ee417ad76760ff076faa4518a4d861894"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/68cdf6710f228dfd74f66ec61fbe636da2646a73"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6db423b00940b05df2a1265d3c7eabafe9f1734c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b1d95d733cd6e74f595653daddcfc357bea461e8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d335fce8b88b2353f4bb20c631698e20384e3610"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fc69e2c3219d433caabba4b5d6371ba726a4b37f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: HID: appleir: Fix potential NULL dereference at raw event handle", "id": "2356588", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2356588"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nHID: appleir: Fix potential NULL dereference at raw event handle\nSyzkaller reports a NULL pointer dereference issue in input_event().\nBUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]\nBUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]\nBUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395\nRead of size 8 at addr 0000000000000028 by task syz-executor199/2949\nCPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n<IRQ>\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\nkasan_report+0xd9/0x110 mm/kasan/report.c:602\ncheck_region_inline mm/kasan/generic.c:183 [inline]\nkasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\ninstrument_atomic_read include/linux/instrumented.h:68 [inline]\n_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nis_event_supported drivers/input/input.c:67 [inline]\ninput_event+0x42/0xa0 drivers/input/input.c:395\ninput_report_key include/linux/input.h:439 [inline]\nkey_down drivers/hid/hid-appleir.c:159 [inline]\nappleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232\n__hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111\nhid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484\n__usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650\nusb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734\ndummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993\n__run_hrtimer kernel/time/hrtimer.c:1739 [inline]\n__hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803\nhrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820\nhandle_softirqs+0x206/0x8d0 kernel/softirq.c:561\n__do_softirq kernel/softirq.c:595 [inline]\ninvoke_softirq kernel/softirq.c:435 [inline]\n__irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662\nirq_exit_rcu+0x9/0x30 kernel/softirq.c:678\ninstr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\nsysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049\n</IRQ>\n<TASK>\nasm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n__mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185\nadd_timer+0x62/0x90 kernel/time/timer.c:1295\nschedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98\nusbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645\nusbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784\nhiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:906 [inline]\n__se_sys_ioctl fs/ioctl.c:892 [inline]\n__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n</TASK>\nThis happens due to the malformed report items sent by the emulated device\nwhich results in a report, that has no fields, being added to the report list.\nDue to this appleir_input_configured() is never called, hidinput_connect()\nfails which results in the HID_CLAIMED_INPUT flag is not being set. However,\nit does not make appleir_probe() fail and lets the event callback to be\ncalled without the associated input device.\nThus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook\nearly if the driver didn't claim any input_dev for some reason. Moreover,\nsome other hid drivers accessing input_dev in their event callbacks do have\nsimilar checks, too.\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."], "name": "CVE-2025-21948", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21948\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21948\nhttps://lore.kernel.org/linux-cve-announce/2025040136-CVE-2025-21948-cbbb@gregkh/T"], "threat_severity": "Moderate"}

{}