Linux Kernel NULL Pointer Dereference Vulnerability in HID Apple Component

A NULL pointer dereference vulnerability has been identified in the Linux kernel's HID Apple component. This issue arises when the power feature report is sent to a device with the APPLE_MAGIC_BACKLIGHT quirk. The power report is expected to contain two data fields; however, if the descriptor specifies only one field, accessing the second field (field[1]) in the 'apple_magic_backlight_report_set' function leads to a crash. The vulnerability can be triggered by a malicious HID device that exploits this discrepancy in the feature report's field count.

Impact

Exploitation of this vulnerability causes a general protection fault, leading to a crash of the kernel. The Kernel Address Sanitizer (KASAN) reports a null pointer dereference, indicating that the kernel attempted to access memory that was not valid, causing a crash.

Reproduction

To reproduce this vulnerability, a HID device must be used that has the APPLE_MAGIC_BACKLIGHT quirk. The device can be configured to present a power feature report (Report ID 3) that only includes a single 1-byte field. When this report is sent to the device, the kernel will dereference the NULL pointer, resulting in a crash. This can be observed in a QEMU environment running a Linux kernel version that is vulnerable to this issue.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.