cvelist/2023/52xxx/CVE-2023-52866.json

{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2023-52866",
        "ASSIGNER": "cve@kernel.org",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: uclogic: Fix user-memory-access bug in uclogic_params_ugee_v2_init_event_hooks()\n\nWhen CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch kernel and\nthen the below user-memory-access bug occurs.\n\nIn hid_test_uclogic_params_cleanup_event_hooks(),it call\nuclogic_params_ugee_v2_init_event_hooks() with the first arg=NULL, so\nwhen it calls uclogic_params_ugee_v2_has_battery(), the hid_get_drvdata()\nwill access hdev->dev with hdev=NULL, which will cause below\nuser-memory-access.\n\nSo add a fake_device with quirks member and call hid_set_drvdata()\nto assign hdev->dev->driver_data which avoids the null-ptr-def bug\nfor drvdata->quirks in uclogic_params_ugee_v2_has_battery(). After applying\nthis patch, the below user-memory-access bug never occurs.\n\n general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN\n KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f]\n CPU: 5 PID: 2189 Comm: kunit_try_catch Tainted: G    B   W        N 6.6.0-rc2+ #30\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600\n Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00\n RSP: 0000:ffff88810679fc88 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000\n RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948\n RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0\n R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92\n R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080\n FS:  0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0\n DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6\n DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600\n PKRU: 55555554\n Call Trace:\n  <TASK>\n  ? die_addr+0x3d/0xa0\n  ? exc_general_protection+0x144/0x220\n  ? asm_exc_general_protection+0x22/0x30\n  ? uclogic_params_ugee_v2_init_event_hooks+0x87/0x600\n  ? sched_clock_cpu+0x69/0x550\n  ? uclogic_parse_ugee_v2_desc_gen_params+0x70/0x70\n  ? load_balance+0x2950/0x2950\n  ? rcu_trc_cmpxchg_need_qs+0x67/0xa0\n  hid_test_uclogic_params_cleanup_event_hooks+0x9e/0x1a0\n  ? uclogic_params_ugee_v2_init_event_hooks+0x600/0x600\n  ? __switch_to+0x5cf/0xe60\n  ? migrate_enable+0x260/0x260\n  ? __kthread_parkme+0x83/0x150\n  ? kunit_try_run_case_cleanup+0xe0/0xe0\n  kunit_generic_run_threadfn_adapter+0x4a/0x90\n  ? kunit_try_catch_throw+0x80/0x80\n  kthread+0x2b5/0x380\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork+0x2d/0x70\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\n Modules linked in:\n Dumping ftrace buffer:\n    (ftrace buffer empty)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600\n Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00\n RSP: 0000:ffff88810679fc88 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000\n RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948\n RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0\n R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92\n R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080\n FS:  0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0\n DR0: ffffffff8fdd6cf4 DR1: \n---truncated---"
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "n/a"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Linux",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Linux",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<",
                                            "version_name": "a251d6576d2a",
                                            "version_value": "64da1f6147da"
                                        },
                                        {
                                            "version_value": "not down converted",
                                            "x_cve_json_5_version_data": {
                                                "versions": [
                                                    {
                                                        "version": "6.3",
                                                        "status": "affected"
                                                    },
                                                    {
                                                        "version": "0",
                                                        "lessThan": "6.3",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "6.5.12",
                                                        "lessThanOrEqual": "6.5.*",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "6.6.2",
                                                        "lessThanOrEqual": "6.6.*",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "6.7",
                                                        "lessThanOrEqual": "*",
                                                        "status": "unaffected",
                                                        "versionType": "original_commit_for_fix"
                                                    }
                                                ],
                                                "defaultStatus": "affected"
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://git.kernel.org/stable/c/64da1f6147dac7f8499d4937a0d7ea990bf569e8",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/64da1f6147dac7f8499d4937a0d7ea990bf569e8"
            },
            {
                "url": "https://git.kernel.org/stable/c/6c8f953728d75104d994893f58801c457274335a",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/6c8f953728d75104d994893f58801c457274335a"
            },
            {
                "url": "https://git.kernel.org/stable/c/91cfe0bbaa1c434d4271eb6e1d7aaa1fe8d121f6",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/91cfe0bbaa1c434d4271eb6e1d7aaa1fe8d121f6"
            }
        ]
    },
    "generator": {
        "engine": "bippy-9e1c9544281a"
    }
}