CVE-2025-38394

In the Linux kernel, the following vulnerability has been resolved:

HID: appletb-kbd: fix memory corruption of inputhandlerlist

In appletbkbdprobe an input handler is initialised and then registered with input core through inputregisterhandler(). When this happens input core will add the input handler (specifically its node) to the global inputhandlerlist. The inputhandlerlist is central to the functionality of input core and is traversed in various places in input core. An example of this is when a new input device is plugged in and gets registered with input core.

The inputhandler in probe is allocated as device managed memory. If a probe failure occurs after inputregisterhandler() the inputhandler memory is freed, yet it will remain in the inputhandlerlist. This effectively means the inputhandlerlist contains a dangling pointer to data belonging to a freed input handler.

This causes an issue when any other input device is plugged in - in my case I had an old PixArt HP USB optical mouse and I decided to plug it in after a failure occurred after inputregisterhandler(). This lead to the registration of this input device via inputregisterdevice which involves traversing over every handler in the corrupted inputhandlerlist and calling inputattachhandler(), giving each handler a chance to bind to newly registered device.

The core of this bug is a UAF which causes memory corruption of inputhandlerlist and to fix it we must ensure the input handler is unregistered from input core, this is done through inputunregisterhandler().

[ 63.191597] ================================================================== [ 63.192094] BUG: KASAN: slab-use-after-free in inputattachhandler.isra.0+0x1a9/0x1e0 [ 63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54 [ 63.192094] [ 63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d [ 63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164 [ 63.192094] Workqueue: usbhubwq hubevent [ 63.192094] Call Trace: [ 63.192094] <TASK> [ 63.192094] dumpstacklvl+0x53/0x70 [ 63.192094] printreport+0xce/0x670 [ 63.192094] kasanreport+0xce/0x100 [ 63.192094] inputattachhandler.isra.0+0x1a9/0x1e0 [ 63.192094] inputregisterdevice+0x76c/0xd00 [ 63.192094] hidinputconnect+0x686d/0xad60 [ 63.192094] hidconnect+0xf20/0x1b10 [ 63.192094] hidhwstart+0x83/0x100 [ 63.192094] hiddeviceprobe+0x2d1/0x680 [ 63.192094] reallyprobe+0x1c3/0x690 [ 63.192094] __driverprobedevice+0x247/0x300 [ 63.192094] driverprobedevice+0x49/0x210 [ 63.192094] __deviceattachdriver+0x160/0x320 [ 63.192094] busforeach_drv+0x10f/0x190 [ 63.192094] __deviceattach+0x18e/0x370 [ 63.192094] busprobedevice+0x123/0x170 [ 63.192094] deviceadd+0xd4d/0x1460 [ 63.192094] hidadddevice+0x30b/0x910 [ 63.192094] usbhidprobe+0x920/0xe00 [ 63.192094] usbprobeinterface+0x363/0x9a0 [ 63.192094] reallyprobe+0x1c3/0x690 [ 63.192094] __driverprobedevice+0x247/0x300 [ 63.192094] driverprobedevice+0x49/0x210 [ 63.192094] __deviceattachdriver+0x160/0x320 [ 63.192094] busforeach_drv+0x10f/0x190 [ 63.192094] __deviceattach+0x18e/0x370 [ 63.192094] busprobedevice+0x123/0x170 [ 63.192094] deviceadd+0xd4d/0x1460 [ 63.192094] usbsetconfiguration+0xd14/0x1880 [ 63.192094] usbgenericdriverprobe+0x78/0xb0 [ 63.192094] usbprobedevice+0xaa/0x2e0 [ 63.192094] reallyprobe+0x1c3/0x690 [ 63.192094] __driverprobedevice+0x247/0x300 [ 63.192094] driverprobedevice+0x49/0x210 [ 63.192094] __deviceattachdriver+0x160/0x320 [ 63.192094] busforeach_drv+0x10f/0x190 [ 63.192094] _deviceattach+0x18e/0x370 [ 63.192094] busprobedevice+0x123/0x170 [ 63.192094] deviceadd+0xd4d/0x1460 [ 63.192094] usbnewdevice+0x7b4/0x1000 [ 63.192094] hubevent+0x234d/0x3 ---truncated---