Skip to content

Commit 6f0a605

Browse files
xairyxairy
committed
1 parent 3cf4e5b commit 6f0a605

File tree

3 files changed

+695
-1
lines changed

3 files changed

+695
-1
lines changed

CVE-2025-38494/README.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
CVE-2025-38494/CVE-2025-38495
2+
=============================
3+
4+
This is a trigger for the integer underflow bug in the HID core subsystem ([CVE-2025-38494](https://lore.kernel.org/linux-cve-announce/2025072818-CVE-2025-38494-63e4@gregkh/) and [CVE-2025-38495](https://lore.kernel.org/linux-cve-announce/2025072818-CVE-2025-38495-3b28@gregkh/)).
5+
6+
Allows leaking up to ~64 KB of data starting from a `kzalloc(7, GFP_KERNEL)` allocation over the USB connection by emulating a malicious USB device.
7+
(And it's possible that other code paths within the HID subsystem might lead to more severe memory corruptions, e.g. out-of-bounds writes).
8+
9+
Running the trigger requires setting up [Raw Gadget](https://github.com/xairy/raw-gadget) (with a [fix](https://lore.kernel.org/linux-usb/a6024e8eab679043e9b8a5defdb41c4bda62f02b.1757016152.git.andreyknvl@gmail.com/) applied).
10+
11+
The bug was found and reported by syzbot:
12+
13+
- [KASAN: slab-out-of-bounds Read in mon_copy_to_buff](https://syzkaller.appspot.com/bug?extid=8258d5439c49d4c35f43)
14+
- [KMSAN: kernel-usb-infoleak in usbhid_raw_request](https://syzkaller.appspot.com/bug?extid=fbe9fff1374eefadffb9)
15+
- [KMSAN: kernel-usb-infoleak-after-free in usb_start_wait_urb](https://syzkaller.appspot.com/bug?extid=27fe438b6370f95de4a5)
16+
17+
The bug was fixed by:
18+
19+
- [HID: core: ensure the allocated report buffer can contain the reserved report ID](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f15ee98304b96e164ff2340e1dfd6181c3f42aa)
20+
- [HID: core: ensure __hid_request reserves the report ID as the first byte](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0d0777ccaa2d46609d05b66ba0096802a2746193)
21+
- [HID: core: do not bypass hid_hw_raw_request](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c2ca42f190b6714d6c481dfd3d9b62ea091c946b)
22+
23+
Also see the related [discussion](https://lore.kernel.org/linux-input/[email protected]/).

0 commit comments

Comments
 (0)