CVE-2023-52866
Severity CVSS v4.0:
Pending analysis
Type:
CWE-125
Out-of-bounds Read
Publication date:
21/05/2024
Last modified:
24/09/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
HID: uclogic: Fix user-memory-access bug in uclogic_params_ugee_v2_init_event_hooks()<br />
<br />
When CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch kernel and<br />
then the below user-memory-access bug occurs.<br />
<br />
In hid_test_uclogic_params_cleanup_event_hooks(),it call<br />
uclogic_params_ugee_v2_init_event_hooks() with the first arg=NULL, so<br />
when it calls uclogic_params_ugee_v2_has_battery(), the hid_get_drvdata()<br />
will access hdev->dev with hdev=NULL, which will cause below<br />
user-memory-access.<br />
<br />
So add a fake_device with quirks member and call hid_set_drvdata()<br />
to assign hdev->dev->driver_data which avoids the null-ptr-def bug<br />
for drvdata->quirks in uclogic_params_ugee_v2_has_battery(). After applying<br />
this patch, the below user-memory-access bug never occurs.<br />
<br />
general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN<br />
KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f]<br />
CPU: 5 PID: 2189 Comm: kunit_try_catch Tainted: G B W N 6.6.0-rc2+ #30<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br />
RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600<br />
Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00<br />
RSP: 0000:ffff88810679fc88 EFLAGS: 00010202<br />
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000<br />
RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948<br />
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0<br />
R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92<br />
R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080<br />
FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0<br />
DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6<br />
DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
? die_addr+0x3d/0xa0<br />
? exc_general_protection+0x144/0x220<br />
? asm_exc_general_protection+0x22/0x30<br />
? uclogic_params_ugee_v2_init_event_hooks+0x87/0x600<br />
? sched_clock_cpu+0x69/0x550<br />
? uclogic_parse_ugee_v2_desc_gen_params+0x70/0x70<br />
? load_balance+0x2950/0x2950<br />
? rcu_trc_cmpxchg_need_qs+0x67/0xa0<br />
hid_test_uclogic_params_cleanup_event_hooks+0x9e/0x1a0<br />
? uclogic_params_ugee_v2_init_event_hooks+0x600/0x600<br />
? __switch_to+0x5cf/0xe60<br />
? migrate_enable+0x260/0x260<br />
? __kthread_parkme+0x83/0x150<br />
? kunit_try_run_case_cleanup+0xe0/0xe0<br />
kunit_generic_run_threadfn_adapter+0x4a/0x90<br />
? kunit_try_catch_throw+0x80/0x80<br />
kthread+0x2b5/0x380<br />
? kthread_complete_and_exit+0x20/0x20<br />
ret_from_fork+0x2d/0x70<br />
? kthread_complete_and_exit+0x20/0x20<br />
ret_from_fork_asm+0x11/0x20<br />
<br />
Modules linked in:<br />
Dumping ftrace buffer:<br />
(ftrace buffer empty)<br />
---[ end trace 0000000000000000 ]---<br />
RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600<br />
Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00<br />
RSP: 0000:ffff88810679fc88 EFLAGS: 00010202<br />
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000<br />
RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948<br />
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0<br />
R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92<br />
R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080<br />
FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0<br />
DR0: ffffffff8fdd6cf4 DR1: <br />
---truncated---
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.3 (including) | 6.5.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6 (including) | 6.6.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/64da1f6147dac7f8499d4937a0d7ea990bf569e8
- https://git.kernel.org/stable/c/6c8f953728d75104d994893f58801c457274335a
- https://git.kernel.org/stable/c/91cfe0bbaa1c434d4271eb6e1d7aaa1fe8d121f6
- https://git.kernel.org/stable/c/64da1f6147dac7f8499d4937a0d7ea990bf569e8
- https://git.kernel.org/stable/c/6c8f953728d75104d994893f58801c457274335a
- https://git.kernel.org/stable/c/91cfe0bbaa1c434d4271eb6e1d7aaa1fe8d121f6