cvelistv5 - CVE-2023-52478

CVE-2023-52478

Vulnerability from cvelistv5

Published

2024-02-29 05:43

Modified

2024-08-15 19:25

Severity

Summary

HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect

References

Source	URL	Tags
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d

Impacted products

Vendor	Product
Linux	Linux
Linux	Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:19.785Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52478",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-15T19:25:15.460942Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T19:25:22.271Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-logitech-hidpp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca0c4cc1d215",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "44481b244fca",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "cd0e2bf7fb22",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "093af62c0235",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "28ddc1e0b898",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "fd72ac9556a4",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "f7b2c7d9831a",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "dac501397b9d",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-logitech-hidpp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.328",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.297",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.259",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.199",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.136",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.59",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.8",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp-\u003eprotocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp-\u003eprotocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp-\u003ename == hdev-\u003ename) {\n\t\t...\n\t\thidpp-\u003ename = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n        if (hidpp-\u003ebattery.ps)\n                return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp-\u003edelayed_input)\n\t\treturn;\n\n\thidpp-\u003edelayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n\n\t...\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace\u0027s pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp-\u003ebattery.desc struct is shared between the 2 power supplies\n3. hidpp-\u003ebattery.desc.properties points to the result from the second\n   devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n   hidpp-\u003ebattery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n   this involves sending a remove uevent to userspace which invokes\n   power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp-\u003ebattery.desc.properties which\n   now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel:  ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel:  dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel:  kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel:  \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T05:12:33.401Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e"
        },
        {
          "url": "https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452"
        }
      ],
      "title": "HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect",
      "x_generator": {
        "engine": "bippy-a5840b7849dd"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52478",
    "datePublished": "2024-02-29T05:43:10.698Z",
    "dateReserved": "2024-02-20T12:30:33.298Z",
    "dateUpdated": "2024-08-15T19:25:22.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52478\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-29T06:15:45.920\",\"lastModified\":\"2024-02-29T13:49:29.390\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\\n\\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\\nraces when it races with itself.\\n\\nhidpp_connect_event() primarily runs from a workqueue but it also runs\\non probe() and if a \\\"device-connected\\\" packet is received by the hw\\nwhen the thread running hidpp_connect_event() from probe() is waiting on\\nthe hw, then a second thread running hidpp_connect_event() will be\\nstarted from the workqueue.\\n\\nThis opens the following races (note the below code is simplified):\\n\\n1. Retrieving + printing the protocol (harmless race):\\n\\n\\tif (!hidpp-\u003eprotocol_major) {\\n\\t\\thidpp_root_get_protocol_version()\\n\\t\\thidpp-\u003eprotocol_major = response.rap.params[0];\\n\\t}\\n\\nWe can actually see this race hit in the dmesg in the abrt output\\nattached to rhbz#2227968:\\n\\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\\n\\nTesting with extra logging added has shown that after this the 2 threads\\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\\nthrough all the other TOCTOU cases managing to hit all of them:\\n\\n2. Updating the name to the HIDPP name (harmless race):\\n\\n\\tif (hidpp-\u003ename == hdev-\u003ename) {\\n\\t\\t...\\n\\t\\thidpp-\u003ename = new_name;\\n\\t}\\n\\n3. Initializing the power_supply class for the battery (problematic!):\\n\\nhidpp_initialize_battery()\\n{\\n        if (hidpp-\u003ebattery.ps)\\n                return 0;\\n\\n\\tprobe_battery(); /* Blocks, threads take turns executing this */\\n\\n\\thidpp-\u003ebattery.desc.properties =\\n\\t\\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\\n\\n\\thidpp-\u003ebattery.ps =\\n\\t\\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\\n\\t\\t\\t\\t\\t   \u0026hidpp-\u003ebattery.desc, cfg);\\n}\\n\\n4. Creating delayed input_device (potentially problematic):\\n\\n\\tif (hidpp-\u003edelayed_input)\\n\\t\\treturn;\\n\\n\\thidpp-\u003edelayed_input = hidpp_allocate_input(hdev);\\n\\nThe really big problem here is 3. Hitting the race leads to the following\\nsequence:\\n\\n\\thidpp-\u003ebattery.desc.properties =\\n\\t\\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\\n\\n\\thidpp-\u003ebattery.ps =\\n\\t\\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\\n\\t\\t\\t\\t\\t   \u0026hidpp-\u003ebattery.desc, cfg);\\n\\n\\t...\\n\\n\\thidpp-\u003ebattery.desc.properties =\\n\\t\\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\\n\\n\\thidpp-\u003ebattery.ps =\\n\\t\\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\\n\\t\\t\\t\\t\\t   \u0026hidpp-\u003ebattery.desc, cfg);\\n\\nSo now we have registered 2 power supplies for the same battery,\\nwhich looks a bit weird from userspace\u0027s pov but this is not even\\nthe really big problem.\\n\\nNotice how:\\n\\n1. This is all devm-maganaged\\n2. The hidpp-\u003ebattery.desc struct is shared between the 2 power supplies\\n3. hidpp-\u003ebattery.desc.properties points to the result from the second\\n   devm_kmemdup()\\n\\nThis causes a use after free scenario on USB disconnect of the receiver:\\n1. The last registered power supply class device gets unregistered\\n2. The memory from the last devm_kmemdup() call gets freed,\\n   hidpp-\u003ebattery.desc.properties now points to freed memory\\n3. The first registered power supply class device gets unregistered,\\n   this involves sending a remove uevent to userspace which invokes\\n   power_supply_uevent() to fill the uevent data\\n4. power_supply_uevent() uses hidpp-\u003ebattery.desc.properties which\\n   now points to freed memory leading to backtraces like this one:\\n\\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\\n...\\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\\n...\\nSep 22 20:01:35 eric kernel:  ? asm_exc_page_fault+0x26/0x30\\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0xee/0x1d0\\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0x10d/0x1d0\\nSep 22 20:01:35 eric kernel:  dev_uevent+0x10f/0x2d0\\nSep 22 20:01:35 eric kernel:  kobject_uevent_env+0x291/0x680\\nSep 22 20:01:35 eric kernel:  \\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: logitech-hidpp: soluciona el fallo del kernel en la desconexi\u00f3n del USB del receptor hidpp_connect_event() tiene *cuatro* carreras de tiempo de verificaci\u00f3n versus tiempo de uso (TOCTOU) cuando corre consigo mismo. hidpp_connect_event() se ejecuta principalmente desde una cola de trabajo, pero tambi\u00e9n se ejecuta en probe() y si el hw recibe un paquete \\\"dispositivo conectado\\\" cuando el subproceso que ejecuta hidpp_connect_event() desde probe() est\u00e1 esperando en el hw, entonces se ejecuta un segundo El hilo que ejecuta hidpp_connect_event() se iniciar\u00e1 desde la cola de trabajo. Esto abre las siguientes carreras (tenga en cuenta que el c\u00f3digo siguiente est\u00e1 simplificado):1. Retrieving + printing the protocol (harmless race): if (!hidpp-\u0026gt;protocol_major) { hidpp_root_get_protocol_version() hidpp-\u0026gt;protocol_major = response.rap.params[0]; } We can actually see this race hit in the dmesg in the abrt output attached to rhbz#2227968: [ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. [ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. Testing with extra logging added has shown that after this the 2 threads take turn grabbing the hw access mutex (send_mutex) so they ping-pong through all the other TOCTOU cases managing to hit all of them: 2. Updating the name to the HIDPP name (harmless race): if (hidpp-\u0026gt;name == hdev-\u0026gt;name) { ... hidpp-\u0026gt;name = new_name; } 3. Initializing the power_supply class for the battery (problematic!): hidpp_initialize_battery() { if (hidpp-\u0026gt;battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp-\u0026gt;battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp-\u0026gt;battery.ps = devm_power_supply_register(\u0026amp;hidpp-\u0026gt;hid_dev-\u0026gt;dev, \u0026amp;hidpp-\u0026gt;battery.desc, cfg); } 4. Creating delayed input_device (potentially problematic): if (hidpp-\u0026gt;delayed_input) return; hidpp-\u0026gt;delayed_input = hidpp_allocate_input(hdev); The really big problem here is 3. Hitting the race leads to the following sequence: hidpp-\u0026gt;battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp-\u0026gt;battery.ps = devm_power_supply_register(\u0026amp;hidpp-\u0026gt;hid_dev-\u0026gt;dev, \u0026amp;hidpp-\u0026gt;battery.desc, cfg); ... hidpp-\u0026gt;battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp-\u0026gt;battery.ps = devm_power_supply_register(\u0026amp;hidpp-\u0026gt;hid_dev-\u0026gt;dev, \u0026amp;hidpp-\u0026gt;battery.desc, cfg); So now we have registered 2 power supplies for the same battery, which looks a bit weird from userspace\u0027s pov but this is not even the really big problem. Notice how: 1. This is all devm-maganaged 2. The hidpp-\u0026gt;battery.desc struct is shared between the 2 power supplies 3. hidpp-\u0026gt;battery.desc.properties points to the result from the second devm_kmemdup() This causes a use after free scenario on USB disconnect of the receiver: 1. The last registered power supply class device gets unregistered 2. The memory from the last devm_kmemdup() call gets freed, hidpp-\u0026gt;battery.desc.properties now points to freed memory 3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data 4. power_supply_uevent() uses hidpp-\u0026gt;battery.desc.properties which now points to freed memory leading to backtraces like this one: Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08 ... Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0 ... Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0 Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0 Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680 Sep 22 20:01:35 eric kernel: ---trun\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

wid-sec-w-2024-0511

Vulnerability from csaf_certbund

Published

2024-02-28 23:00

Modified

2024-06-06 22:00

Summary

Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service und unspezifische Angriffe

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff

Ein lokaler Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um einen Denial-of-Service-Zustand herbeizuführen oder einen nicht spezifizierten Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um einen Denial-of-Service-Zustand herbeizuf\u00fchren oder einen nicht spezifizierten Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0511 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0511.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0511 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0511"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0855-1 vom 2024-03-12",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018151.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0900-1 vom 2024-03-14",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018167.html"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-02-28",
        "url": "http://lore.kernel.org/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-02-28",
        "url": "http://lore.kernel.org/linux-cve-announce/2024022921-CVE-2023-52476-e307@gregkh/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-02-28",
        "url": "http://lore.kernel.org/linux-cve-announce/2024022921-CVE-2023-52477-6f20@gregkh/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-02-28",
        "url": "http://lore.kernel.org/linux-cve-announce/2024022921-CVE-2023-52478-c0a1@gregkh/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-02-28",
        "url": "http://lore.kernel.org/linux-cve-announce/2024022922-CVE-2023-52479-fc87@gregkh/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-02-28",
        "url": "http://lore.kernel.org/linux-cve-announce/2024022922-CVE-2023-52480-ff7f@gregkh/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-02-28",
        "url": "http://lore.kernel.org/linux-cve-announce/2024022922-CVE-2023-52481-99a8@gregkh/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-02-28",
        "url": "http://lore.kernel.org/linux-cve-announce/2024022922-CVE-2023-52482-9375@gregkh/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-02-28",
        "url": "http://lore.kernel.org/linux-cve-announce/2024022923-CVE-2023-52483-5b9d@gregkh/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-02-28",
        "url": "http://lore.kernel.org/linux-cve-announce/2024022923-CVE-2023-52484-3635@gregkh/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0856-1 vom 2024-03-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018155.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0858-1 vom 2024-03-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018153.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0857-1 vom 2024-03-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018154.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0910-1 vom 2024-03-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018181.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0900-2 vom 2024-03-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018182.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0926-1 vom 2024-03-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018204.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0976-1 vom 2024-03-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018185.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0975-1 vom 2024-03-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018186.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0925-1 vom 2024-03-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018205.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0977-1 vom 2024-03-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018210.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6725-1 vom 2024-04-09",
        "url": "https://ubuntu.com/security/notices/USN-6725-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6725-2 vom 2024-04-16",
        "url": "https://ubuntu.com/security/notices/USN-6725-2"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1320-1 vom 2024-04-16",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018372.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1321-1 vom 2024-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018375.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1322-1 vom 2024-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018374.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1332-2 vom 2024-04-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018378.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1332-1 vom 2024-04-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018376.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1322-2 vom 2024-04-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018377.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1454-1 vom 2024-04-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018431.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1466-1 vom 2024-04-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018438.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:2394 vom 2024-04-30",
        "url": "https://access.redhat.com/errata/RHSA-2024:2394"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1480-1 vom 2024-04-30",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018444.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1490-1 vom 2024-05-03",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018445.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5681 vom 2024-05-06",
        "url": "https://lists.debian.org/debian-security-announce/2024/msg00090.html"
      },
      {
        "category": "external",
        "summary": "Dell Security Advisory DSA-2024-198 vom 2024-05-08",
        "url": "https://www.dell.com/support/kbdoc/000224827/dsa-2024-="
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1648-1 vom 2024-05-14",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018524.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1647-1 vom 2024-05-14",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018525.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1646-1 vom 2024-05-14",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018526.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1643-1 vom 2024-05-14",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018529.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1641-1 vom 2024-05-14",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018531.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1648-2 vom 2024-05-21",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018572.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1870-1 vom 2024-05-30",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018634.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:3618 vom 2024-06-05",
        "url": "https://access.redhat.com/errata/RHSA-2024:3618"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:3627 vom 2024-06-05",
        "url": "https://access.redhat.com/errata/RHSA-2024:3627"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2024-3618 vom 2024-06-06",
        "url": "https://linux.oracle.com/errata/ELSA-2024-3618.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen erm\u00f6glichen Denial of Service und unspezifische Angriffe",
    "tracking": {
      "current_release_date": "2024-06-06T22:00:00.000+00:00",
      "generator": {
        "date": "2024-06-07T08:08:44.331+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2024-0511",
      "initial_release_date": "2024-02-28T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-28T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-03-12T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-03-14T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-03-17T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-03-24T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-04-09T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-04-16T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Ubuntu und SUSE aufgenommen"
        },
        {
          "date": "2024-04-18T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-04-28T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-04-29T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-05-01T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-05-02T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-05-06T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-05-07T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Dell aufgenommen"
        },
        {
          "date": "2024-05-14T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-05-21T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-05-30T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-06-04T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-06-06T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        }
      ],
      "status": "final",
      "version": "19"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "virtual",
                "product": {
                  "name": "Dell NetWorker virtual",
                  "product_id": "T034583",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:dell:networker:virtual"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "NetWorker"
          }
        ],
        "category": "vendor",
        "name": "Dell"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "EMC Avamar",
            "product": {
              "name": "EMC Avamar",
              "product_id": "T014381",
              "product_identification_helper": {
                "cpe": "cpe:/a:emc:avamar:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "EMC"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c6.6",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.6",
                  "product_id": "T033155",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.6"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Linux Kernel"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-52475",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie dem usb, dem HID oder dem ksmbd aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder einen nicht spezifizierten Angriff durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034583",
          "T004914"
        ]
      },
      "release_date": "2024-02-28T23:00:00Z",
      "title": "CVE-2023-52475"
    },
    {
      "cve": "CVE-2023-52476",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie dem usb, dem HID oder dem ksmbd aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder einen nicht spezifizierten Angriff durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034583",
          "T004914"
        ]
      },
      "release_date": "2024-02-28T23:00:00Z",
      "title": "CVE-2023-52476"
    },
    {
      "cve": "CVE-2023-52477",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie dem usb, dem HID oder dem ksmbd aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder einen nicht spezifizierten Angriff durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034583",
          "T004914"
        ]
      },
      "release_date": "2024-02-28T23:00:00Z",
      "title": "CVE-2023-52477"
    },
    {
      "cve": "CVE-2023-52478",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie dem usb, dem HID oder dem ksmbd aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder einen nicht spezifizierten Angriff durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034583",
          "T004914"
        ]
      },
      "release_date": "2024-02-28T23:00:00Z",
      "title": "CVE-2023-52478"
    },
    {
      "cve": "CVE-2023-52479",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie dem usb, dem HID oder dem ksmbd aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder einen nicht spezifizierten Angriff durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034583",
          "T004914"
        ]
      },
      "release_date": "2024-02-28T23:00:00Z",
      "title": "CVE-2023-52479"
    },
    {
      "cve": "CVE-2023-52480",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie dem usb, dem HID oder dem ksmbd aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder einen nicht spezifizierten Angriff durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034583",
          "T004914"
        ]
      },
      "release_date": "2024-02-28T23:00:00Z",
      "title": "CVE-2023-52480"
    },
    {
      "cve": "CVE-2023-52481",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie dem usb, dem HID oder dem ksmbd aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder einen nicht spezifizierten Angriff durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034583",
          "T004914"
        ]
      },
      "release_date": "2024-02-28T23:00:00Z",
      "title": "CVE-2023-52481"
    },
    {
      "cve": "CVE-2023-52482",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie dem usb, dem HID oder dem ksmbd aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder einen nicht spezifizierten Angriff durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034583",
          "T004914"
        ]
      },
      "release_date": "2024-02-28T23:00:00Z",
      "title": "CVE-2023-52482"
    },
    {
      "cve": "CVE-2023-52483",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie dem usb, dem HID oder dem ksmbd aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder einen nicht spezifizierten Angriff durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034583",
          "T004914"
        ]
      },
      "release_date": "2024-02-28T23:00:00Z",
      "title": "CVE-2023-52483"
    },
    {
      "cve": "CVE-2023-52484",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie dem usb, dem HID oder dem ksmbd aufgrund mehrerer sicherheitsrelevanter Probleme wie einer use-after-free, einer race condition oder einer NULL pointer dereference. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder einen nicht spezifizierten Angriff durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034583",
          "T004914"
        ]
      },
      "release_date": "2024-02-28T23:00:00Z",
      "title": "CVE-2023-52484"
    }
  ]
}

ghsa-f7hm-xqp4-h2q8

Vulnerability from github

Published

2024-02-29 06:30

Modified

2024-02-29 06:30

Details

In the Linux kernel, the following vulnerability has been resolved:

HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect

hidpp_connect_event() has four time-of-check vs time-of-use (TOCTOU) races when it races with itself.

hidpp_connect_event() primarily runs from a workqueue but it also runs on probe() and if a "device-connected" packet is received by the hw when the thread running hidpp_connect_event() from probe() is waiting on the hw, then a second thread running hidpp_connect_event() will be started from the workqueue.

This opens the following races (note the below code is simplified):

Retrieving + printing the protocol (harmless race):

if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }

We can actually see this race hit in the dmesg in the abrt output attached to rhbz#2227968:

[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. [ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.

Testing with extra logging added has shown that after this the 2 threads take turn grabbing the hw access mutex (send_mutex) so they ping-pong through all the other TOCTOU cases managing to hit all of them:

Updating the name to the HIDPP name (harmless race):

if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }
Initializing the power_supply class for the battery (problematic!):

hidpp_initialize_battery() { if (hidpp->battery.ps) return 0;

probe_battery(); /* Blocks, threads take turns executing this */

hidpp->battery.desc.properties =
    devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);

hidpp->battery.ps =
    devm_power_supply_register(&hidpp->hid_dev->dev,
                   &hidpp->battery.desc, cfg);

}

Creating delayed input_device (potentially problematic):

if (hidpp->delayed_input) return;

hidpp->delayed_input = hidpp_allocate_input(hdev);

The really big problem here is 3. Hitting the race leads to the following sequence:

hidpp->battery.desc.properties =
    devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);

hidpp->battery.ps =
    devm_power_supply_register(&hidpp->hid_dev->dev,
                   &hidpp->battery.desc, cfg);

...

hidpp->battery.desc.properties =
    devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);

hidpp->battery.ps =
    devm_power_supply_register(&hidpp->hid_dev->dev,
                   &hidpp->battery.desc, cfg);

So now we have registered 2 power supplies for the same battery, which looks a bit weird from userspace's pov but this is not even the really big problem.

Notice how:

This is all devm-maganaged
The hidpp->battery.desc struct is shared between the 2 power supplies
hidpp->battery.desc.properties points to the result from the second devm_kmemdup()

This causes a use after free scenario on USB disconnect of the receiver: 1. The last registered power supply class device gets unregistered 2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory 3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data 4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:

Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08 ... Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0 ... Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0 Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0 Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680 Sep 22 20:01:35 eric kernel:
---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-52478"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T06:15:45Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp-\u003eprotocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp-\u003eprotocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp-\u003ename == hdev-\u003ename) {\n\t\t...\n\t\thidpp-\u003ename = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n        if (hidpp-\u003ebattery.ps)\n                return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp-\u003edelayed_input)\n\t\treturn;\n\n\thidpp-\u003edelayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n\n\t...\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace\u0027s pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp-\u003ebattery.desc struct is shared between the 2 power supplies\n3. hidpp-\u003ebattery.desc.properties points to the result from the second\n   devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n   hidpp-\u003ebattery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n   this involves sending a remove uevent to userspace which invokes\n   power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp-\u003ebattery.desc.properties which\n   now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel:  ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel:  dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel:  kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel:  \n---truncated---",
  "id": "GHSA-f7hm-xqp4-h2q8",
  "modified": "2024-02-29T06:30:32Z",
  "published": "2024-02-29T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52478"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

gsd-2023-52478

Vulnerability from gsd

Modified

2024-02-21 06:01

Details

In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU) races when it races with itself. hidpp_connect_event() primarily runs from a workqueue but it also runs on probe() and if a "device-connected" packet is received by the hw when the thread running hidpp_connect_event() from probe() is waiting on the hw, then a second thread running hidpp_connect_event() will be started from the workqueue. This opens the following races (note the below code is simplified): 1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; } We can actually see this race hit in the dmesg in the abrt output attached to rhbz#2227968: [ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. [ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. Testing with extra logging added has shown that after this the 2 threads take turn grabbing the hw access mutex (send_mutex) so they ping-pong through all the other TOCTOU cases managing to hit all of them: 2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; } 3. Initializing the power_supply class for the battery (problematic!): hidpp_initialize_battery() { if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); } 4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev); The really big problem here is 3. Hitting the race leads to the following sequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); So now we have registered 2 power supplies for the same battery, which looks a bit weird from userspace's pov but this is not even the really big problem. Notice how: 1. This is all devm-maganaged 2. The hidpp->battery.desc struct is shared between the 2 power supplies 3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup() This causes a use after free scenario on USB disconnect of the receiver: 1. The last registered power supply class device gets unregistered 2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory 3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data 4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one: Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08 ... Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0 ... Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0 Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0 Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680 Sep 22 20:01:35 eric kernel: ---truncated---

Aliases

CVE-2023-52478

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-52478"
      ],
      "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp-\u003eprotocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp-\u003eprotocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp-\u003ename == hdev-\u003ename) {\n\t\t...\n\t\thidpp-\u003ename = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n        if (hidpp-\u003ebattery.ps)\n                return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp-\u003edelayed_input)\n\t\treturn;\n\n\thidpp-\u003edelayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n\n\t...\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace\u0027s pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp-\u003ebattery.desc struct is shared between the 2 power supplies\n3. hidpp-\u003ebattery.desc.properties points to the result from the second\n   devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n   hidpp-\u003ebattery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n   this involves sending a remove uevent to userspace which invokes\n   power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp-\u003ebattery.desc.properties which\n   now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel:  ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel:  dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel:  kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel:  \n---truncated---",
      "id": "GSD-2023-52478",
      "modified": "2024-02-21T06:01:53.373160Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@kernel.org",
        "ID": "CVE-2023-52478",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Linux",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1da177e4c3f4",
                          "version_value": "ca0c4cc1d215"
                        },
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "affected",
                            "versions": [
                              {
                                "lessThanOrEqual": "4.14.*",
                                "status": "unaffected",
                                "version": "4.14.328",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "4.19.*",
                                "status": "unaffected",
                                "version": "4.19.297",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "5.4.*",
                                "status": "unaffected",
                                "version": "5.4.259",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "5.10.*",
                                "status": "unaffected",
                                "version": "5.10.199",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "5.15.*",
                                "status": "unaffected",
                                "version": "5.15.136",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.1.*",
                                "status": "unaffected",
                                "version": "6.1.59",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.5.*",
                                "status": "unaffected",
                                "version": "6.5.8",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "*",
                                "status": "unaffected",
                                "version": "6.6",
                                "versionType": "original_commit_for_fix"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Linux"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp-\u003eprotocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp-\u003eprotocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp-\u003ename == hdev-\u003ename) {\n\t\t...\n\t\thidpp-\u003ename = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n        if (hidpp-\u003ebattery.ps)\n                return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp-\u003edelayed_input)\n\t\treturn;\n\n\thidpp-\u003edelayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n\n\t...\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace\u0027s pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp-\u003ebattery.desc struct is shared between the 2 power supplies\n3. hidpp-\u003ebattery.desc.properties points to the result from the second\n   devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n   hidpp-\u003ebattery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n   this involves sending a remove uevent to userspace which invokes\n   power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp-\u003ebattery.desc.properties which\n   now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel:  ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel:  dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel:  kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel:  \n---truncated---"
          }
        ]
      },
      "generator": {
        "engine": "bippy-c298863b1525"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5"
          },
          {
            "name": "https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c"
          },
          {
            "name": "https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b"
          },
          {
            "name": "https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1"
          },
          {
            "name": "https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528"
          },
          {
            "name": "https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d"
          },
          {
            "name": "https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e"
          },
          {
            "name": "https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp-\u003eprotocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp-\u003eprotocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp-\u003ename == hdev-\u003ename) {\n\t\t...\n\t\thidpp-\u003ename = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n        if (hidpp-\u003ebattery.ps)\n                return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp-\u003edelayed_input)\n\t\treturn;\n\n\thidpp-\u003edelayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n\n\t...\n\n\thidpp-\u003ebattery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp-\u003ebattery.ps =\n\t\tdevm_power_supply_register(\u0026hidpp-\u003ehid_dev-\u003edev,\n\t\t\t\t\t   \u0026hidpp-\u003ebattery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace\u0027s pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp-\u003ebattery.desc struct is shared between the 2 power supplies\n3. hidpp-\u003ebattery.desc.properties points to the result from the second\n   devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n   hidpp-\u003ebattery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n   this involves sending a remove uevent to userspace which invokes\n   power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp-\u003ebattery.desc.properties which\n   now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel:  ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel:  dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel:  kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel:  \n---truncated---"
          }
        ],
        "id": "CVE-2023-52478",
        "lastModified": "2024-02-29T13:49:29.390",
        "metrics": {},
        "published": "2024-02-29T06:15:45.920",
        "references": [
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/093af62c023537f097d2ebdfaa0bc7c1a6e874e1"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/28ddc1e0b898291323b62d770b1b931de131a528"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/44481b244fcaa2b895a53081d6204c574720c38c"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/ca0c4cc1d215dc22ab0e738c9f017c650f3183f5"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/cd0e2bf7fb22fe9b989c59c42dca06367fd10e6b"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/dac501397b9d81e4782232c39f94f4307b137452"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/f7b2c7d9831af99369fe8ad9b2a68d78942f414e"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/fd72ac9556a473fc7daf54efb6ca8a97180d621d"
          }
        ],
        "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "vulnStatus": "Awaiting Analysis"
      }
    }
  }
}

Action not permitted

CVE-2023-52478

Vulnerability from cvelistv5

wid-sec-w-2024-0511

Vulnerability from csaf_certbund

ghsa-f7hm-xqp4-h2q8

Vulnerability from github

gsd-2023-52478

Vulnerability from gsd

Tags