CVE-2025-38016

{"id": "CVE-2025-38016", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T10:15:33.187", "references": [{"url": "https://git.kernel.org/stable/c/578e1b96fad7402ff7e9c7648c8f1ad0225147c8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e4b4fe25a4101d1ddb5884f40e149a3618983b66", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f8544be7e8e55b0ef23e1ab90e23e8d4d4aad3d3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bpf: abort dispatch if device destroyed\n\nThe current HID bpf implementation assumes no output report/request will\ngo through it after hid_bpf_destroy_device() has been called. This leads\nto a bug that unplugging certain types of HID devices causes a cleaned-\nup SRCU to be accessed. The bug was previously a hidden failure until a\nrecent x86 percpu change [1] made it access not-present pages.\n\nThe bug will be triggered if the conditions below are met:\n\nA) a device under the driver has some LEDs on\nB) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver)\n\nIf condition A is met, hidinput_led_worker() is always scheduled *after*\nhid_bpf_destroy_device().\n\nhid_destroy_device\n` hid_bpf_destroy_device\n ` cleanup_srcu_struct(&hdev->bpf.srcu)\n` hid_remove_device\n ` ...\n ` led_classdev_unregister\n ` led_trigger_set(led_cdev, NULL)\n ` led_set_brightness(led_cdev, LED_OFF)\n ` ...\n ` input_inject_event\n ` input_event_dispose\n ` hidinput_input_event\n ` schedule_work(&hid->led_work) [hidinput_led_worker]\n\nThis is fine when condition B is not met, where hidinput_led_worker()\ncalls hid_ll_driver->request(). This is the case for most HID drivers,\nwhich implement it or use the generic one from usbhid. The driver itself\nor an underlying driver will then abort processing the request.\n\nOtherwise, hidinput_led_worker() tries hid_hw_output_report() and leads\nto the bug.\n\nhidinput_led_worker\n` hid_hw_output_report\n ` dispatch_hid_bpf_output_report\n ` srcu_read_lock(&hdev->bpf.srcu)\n ` srcu_read_unlock(&hdev->bpf.srcu, idx)\n\nThe bug has existed since the introduction [2] of\ndispatch_hid_bpf_output_report(). However, the same bug also exists in\ndispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect\nbecause of the lack of [1], but confirmed bpf.destroyed == 1) the bug\nagainst the commit (i.e., the Fixes:) introducing the function. This is\nbecause hidinput_led_worker() falls back to hid_hw_raw_request() when\nhid_ll_driver->output_report() is uninplemented (e.g., logitech-\ndjreceiver).\n\nhidinput_led_worker\n` hid_hw_output_report: -ENOSYS\n` hid_hw_raw_request\n ` dispatch_hid_bpf_raw_requests\n ` srcu_read_lock(&hdev->bpf.srcu)\n ` srcu_read_unlock(&hdev->bpf.srcu, idx)\n\nFix the issue by returning early in the two mentioned functions if\nhid_bpf has been marked as destroyed. Though\ndispatch_hid_bpf_device_event() handles input events, and there is no\nevidence that it may be called after the destruction, the same check, as\na safety net, is also added to it to maintain the consistency among all\ndispatch functions.\n\nThe impact of the bug on other architectures is unclear. Even if it acts\nas a hidden failure, this is still dangerous because it corrupts\nwhatever is on the address calculated by SRCU. Thus, CC'ing the stable\nlist.\n\n[1]: commit 9d7de2aa8b41 (\"x86/percpu/64: Use relative percpu offsets\")\n[2]: commit 9286675a2aed (\"HID: bpf: add HID-BPF hooks for\nhid_hw_output_report\")"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: bpf: abortar env\u00edo si dispositivo destruido La implementaci\u00f3n actual de HID bpf asume que no pasar\u00e1 por ella ning\u00fan informe/solicitud de salida despu\u00e9s de que se haya llamado a hid_bpf_destroy_device(). Esto lleva a un error que al desconectar ciertos tipos de dispositivos HID hace que se acceda a una SRCU limpiada. El error era anteriormente un fallo oculto hasta que un cambio reciente de x86 por CPU [1] hizo que accediera a p\u00e1ginas no presentes. El error se activar\u00e1 si se cumplen las siguientes condiciones: A) un dispositivo bajo el controlador tiene algunos LED encendidos B) hid_ll_driver->request() no est\u00e1 implementado (por ejemplo, logitech-djreceiver) Si se cumple la condici\u00f3n A, hidinput_led_worker() siempre se programa *despu\u00e9s* de hid_bpf_destroy_device(). hid_destroy_device ` hid_bpf_destroy_device ` cleanup_srcu_struct(&hdev->bpf.srcu) ` hid_remove_device ` ... ` led_classdev_unregister ` led_trigger_set(led_cdev, NULL) ` led_set_brightness(led_cdev, LED_OFF) ` ... ` input_inject_event ` input_event_dispose ` hidinput_input_event ` schedule_work(&hid->led_work) [hidinput_led_worker] Esto funciona correctamente cuando no se cumple la condici\u00f3n B, en cuyo caso hidinput_led_worker() invoca hid_ll_driver->request(). Este es el caso de la mayor\u00eda de los controladores HID, que lo implementan o utilizan el gen\u00e9rico de usbhid. El propio controlador o uno subyacente abortar\u00e1 el procesamiento de la solicitud. De lo contrario, hidinput_led_worker() intenta hid_hw_output_report() y genera el error. hidinput_led_worker ` hid_hw_output_report ` dispatch_hid_bpf_output_report ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) El error existe desde la introducci\u00f3n [2] de dispatch_hid_bpf_output_report(). Sin embargo, el mismo error tambi\u00e9n existe en dispatch_hid_bpf_raw_requests(), y he reproducido (sin efecto visible debido a la falta de [1], pero confirmado bpf.destroyed == 1) el error contra el commit (es decir, las correcciones:) que introduce la funci\u00f3n. Esto se debe a que hidinput_led_worker() recurre a hid_hw_raw_request() cuando hid_ll_driver->output_report() no est\u00e1 implementado (p. ej., logitech- djreceiver). hidinput_led_worker ` hid_hw_output_report: -ENOSYS ` hid_hw_raw_request ` dispatch_hid_bpf_raw_requests ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) Corrija el problema retornando antes en las dos funciones mencionadas si hid_bpf se marc\u00f3 como destruido. Aunque dispatch_hid_bpf_device_event() maneja eventos de entrada y no hay evidencia de que pueda llamarse despu\u00e9s de la destrucci\u00f3n, tambi\u00e9n se le agrega la misma verificaci\u00f3n, como red de seguridad, para mantener la consistencia entre todas las funciones de despacho. El impacto del error en otras arquitecturas no est\u00e1 claro. Incluso si se trata de un fallo oculto, sigue siendo peligroso, ya que corrompe la direcci\u00f3n calculada por SRCU. Por lo tanto, se copia la lista estable. [1]: commit 9d7de2aa8b41 (\"x86/percpu/64: Usar desplazamientos relativos por CPU\") [2]: commit 9286675a2aed (\"HID: bpf: a\u00f1adir enlaces HID-BPF para hid_hw_output_report\")"}], "lastModified": "2025-11-14T19:01:52.550", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEEB91F5-5666-44F0-8A8B-BE0EC6094446", "versionEndExcluding": "6.12.30", "versionStartIncluding": "6.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4458049-AD51-4F1B-BAB9-C32B53A54DE1", "versionEndExcluding": "6.14.8", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C9D071F-B28E-46EC-AC61-22B913390211"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13FC0DDE-E513-465E-9E81-515702D49B74"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C7B5B0E-4EEB-48F5-B4CF-0935A7633845"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D240580-3048-49B2-9E27-F115A9DF8224"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90320558-E553-4EF5-8A0B-0F5D20113BD2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}