{"id":"CVE-2025-38557","summary":"HID: apple: validate feature-report field count to prevent NULL pointer dereference","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: apple: validate feature-report field count to prevent NULL pointer dereference\n\nA malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL\npointer dereference whilst the power feature-report is toggled and sent to\nthe device in apple_magic_backlight_report_set(). The power feature-report\nis expected to have two data fields, but if the descriptor declares one\nfield then accessing field[1] and dereferencing it in\napple_magic_backlight_report_set() becomes invalid\nsince field[1] will be NULL.\n\nAn example of a minimal descriptor which can cause the crash is something\nlike the following where the report with ID 3 (power report) only\nreferences a single 1-byte field. When hid core parses the descriptor it\nwill encounter the final feature tag, allocate a hid_report (all members\nof field[] will be zeroed out), create field structure and populate it,\nincreasing the maxfield to 1. The subsequent field[1] access and\ndereference causes the crash.\n\n  Usage Page (Vendor Defined 0xFF00)\n  Usage (0x0F)\n  Collection (Application)\n    Report ID (1)\n    Usage (0x01)\n    Logical Minimum (0)\n    Logical Maximum (255)\n    Report Size (8)\n    Report Count (1)\n    Feature (Data,Var,Abs)\n\n    Usage (0x02)\n    Logical Maximum (32767)\n    Report Size (16)\n    Report Count (1)\n    Feature (Data,Var,Abs)\n\n    Report ID (3)\n    Usage (0x03)\n    Logical Minimum (0)\n    Logical Maximum (1)\n    Report Size (8)\n    Report Count (1)\n    Feature (Data,Var,Abs)\n  End Collection\n\nHere we see the KASAN splat when the kernel dereferences the\nNULL pointer and crashes:\n\n  [   15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI\n  [   15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n  [   15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)\n  [   15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n  [   15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210\n  [   15.165691] Call Trace:\n  [   15.165691]  \u003cTASK\u003e\n  [   15.165691]  apple_probe+0x571/0xa20\n  [   15.165691]  hid_device_probe+0x2e2/0x6f0\n  [   15.165691]  really_probe+0x1ca/0x5c0\n  [   15.165691]  __driver_probe_device+0x24f/0x310\n  [   15.165691]  driver_probe_device+0x4a/0xd0\n  [   15.165691]  __device_attach_driver+0x169/0x220\n  [   15.165691]  bus_for_each_drv+0x118/0x1b0\n  [   15.165691]  __device_attach+0x1d5/0x380\n  [   15.165691]  device_initial_probe+0x12/0x20\n  [   15.165691]  bus_probe_device+0x13d/0x180\n  [   15.165691]  device_add+0xd87/0x1510\n  [...]\n\nTo fix this issue we should validate the number of fields that the\nbacklight and power reports have and if they do not have the required\nnumber of fields then bail.","modified":"2026-03-20T12:42:55.251455Z","published":"2025-08-19T17:02:35.641Z","related":["SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38557.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/00896c3f41cb6b74fec853386076115ba50baf0a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1bb3363da862e0464ec050eea2fb5472a36ad86b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e15d1eaa88179c5185e57a38ab05fe852d0cb8d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ba08cc6801ec5fb98f2d02b5f0c614c931845325"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38557.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38557"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"394ba612f9419ec5bfebbffb72212fd3b2094986"},{"fixed":"ba08cc6801ec5fb98f2d02b5f0c614c931845325"},{"fixed":"7e15d1eaa88179c5185e57a38ab05fe852d0cb8d"},{"fixed":"00896c3f41cb6b74fec853386076115ba50baf0a"},{"fixed":"1bb3363da862e0464ec050eea2fb5472a36ad86b"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38557.json"}}],"schema_version":"1.7.5"}