A bug exists in drivers/hid/hid-logitech-dj.c that can result in a kfree of an arbitrary pointer. The logi_dj_recv_destroy_djhid_device function fails to bounds check the device_index that is supplied in the device-controlled “struct dj_report”. This leads to an out-of-bounds array access, since djrcv_dev->paired_dj_devices has 7 elements and the device_index is a character type (i.e. indexes up to 255). 

We consider this a security bug in the context of an attacker who gains short-term physical access to a running device with the goal of turning this into long-term remote access. We have confirmed that this issue is triggerable in practice by modifying QEMU’s “dev-hid.c” to exhibit a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED report type. 

I’ve attached a non-tested patch that attempts to address the issue, and also variants in logi_dj_recv_forward_null_report and logi_dj_recv_forward_report. The idea is to move the device_id bounds check to the earliest possible point in logi_dj_raw_event.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

logitech-dj-device-index-fix.patch 1.2 KB Download