CVE-2023-52866

In hidtestuclogicparamscleanupeventhooks(),it call uclogicparamsugeev2initeventhooks() with the first arg=NULL, so when it calls uclogicparamsugeev2hasbattery(), the hidget_drvdata() will access hdev->dev with hdev=NULL, which will cause below user-memory-access.

So add a fakedevice with quirks member and call hidsetdrvdata() to assign hdev->dev->driverdata which avoids the null-ptr-def bug for drvdata->quirks in uclogicparamsugeev2has_battery(). After applying this patch, the below user-memory-access bug never occurs.

general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f] CPU: 5 PID: 2189 Comm: kunittrycatch Tainted: G B W N 6.6.0-rc2+ #30 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:uclogicparamsugeev2initeventhooks+0x87/0x600 Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00 RSP: 0000:ffff88810679fc88 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0 R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92 R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080 FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0 DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6 DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <TASK> ? dieaddr+0x3d/0xa0 ? excgeneralprotection+0x144/0x220 ? asmexcgeneralprotection+0x22/0x30 ? uclogicparamsugeev2initeventhooks+0x87/0x600 ? schedclockcpu+0x69/0x550 ? uclogicparseugeev2descgenparams+0x70/0x70 ? loadbalance+0x2950/0x2950 ? rcutrccmpxchgneedqs+0x67/0xa0 hidtestuclogicparamscleanupeventhooks+0x9e/0x1a0 ? uclogicparamsugeev2initeventhooks+0x600/0x600 ? _switchto+0x5cf/0xe60 ? migrateenable+0x260/0x260 ? _kthreadparkme+0x83/0x150 ? kunittryruncasecleanup+0xe0/0xe0 kunitgenericrunthreadfnadapter+0x4a/0x90 ? kunittrycatchthrow+0x80/0x80 kthread+0x2b5/0x380 ? kthreadcompleteandexit+0x20/0x20 retfromfork+0x2d/0x70 ? kthreadcompleteandexit+0x20/0x20 retfromforkasm+0x11/0x20 </TASK> Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace 0000000000000000 ]--- RIP: 0010:uclogicparamsugeev2initeventhooks+0x87/0x600 Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00 RSP: 0000:ffff88810679fc88 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0 R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92 R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080 FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0 DR0: ffffffff8fdd6cf4 DR1: ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a251d6576d2a29fc0806ef4775719e3b6e672d91

Fixed

64da1f6147dac7f8499d4937a0d7ea990bf569e8

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a251d6576d2a29fc0806ef4775719e3b6e672d91

Fixed

6c8f953728d75104d994893f58801c457274335a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a251d6576d2a29fc0806ef4775719e3b6e672d91

Fixed

91cfe0bbaa1c434d4271eb6e1d7aaa1fe8d121f6

Affected versions

v6.*

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.5.1

v6.5.10

v6.5.11

v6.5.2

v6.5.3

v6.5.4

v6.5.5

v6.5.6

v6.5.7

v6.5.8

v6.5.9

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2023-52866-2f2999b9",
            "signature_type": "Function",
            "target": {
                "file": "drivers/hid/hid-uclogic-params-test.c",
                "function": "hid_test_uclogic_params_cleanup_event_hooks"
            },
            "deprecated": false,
            "digest": {
                "length": 256.0,
                "function_hash": "98655819266630667514097493842815865327"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@64da1f6147dac7f8499d4937a0d7ea990bf569e8"
        },
        {
            "id": "CVE-2023-52866-39bb9068",
            "signature_type": "Line",
            "target": {
                "file": "drivers/hid/hid-uclogic-params-test.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "278166146951277741992644159327682077874",
                    "138157147121090029818286577929164134466",
                    "326208969962756257268766541073562917508",
                    "213733217767210112705282364953724831390",
                    "118572630862526321542127791537977089614",
                    "210057685842165474624562187576338759217",
                    "280952668646771165116548675049076093048",
                    "169349716604729252543207162095947963025"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@64da1f6147dac7f8499d4937a0d7ea990bf569e8"
        },
        {
            "id": "CVE-2023-52866-55cbb876",
            "signature_type": "Function",
            "target": {
                "file": "drivers/hid/hid-uclogic-params-test.c",
                "function": "hid_test_uclogic_params_cleanup_event_hooks"
            },
            "deprecated": false,
            "digest": {
                "length": 256.0,
                "function_hash": "98655819266630667514097493842815865327"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6c8f953728d75104d994893f58801c457274335a"
        },
        {
            "id": "CVE-2023-52866-de0a44cb",
            "signature_type": "Line",
            "target": {
                "file": "drivers/hid/hid-uclogic-params-test.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "278166146951277741992644159327682077874",
                    "138157147121090029818286577929164134466",
                    "326208969962756257268766541073562917508",
                    "213733217767210112705282364953724831390",
                    "118572630862526321542127791537977089614",
                    "210057685842165474624562187576338759217",
                    "280952668646771165116548675049076093048",
                    "169349716604729252543207162095947963025"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6c8f953728d75104d994893f58801c457274335a"
        },
        {
            "id": "CVE-2023-52866-e04fe432",
            "signature_type": "Function",
            "target": {
                "file": "drivers/hid/hid-uclogic-params-test.c",
                "function": "hid_test_uclogic_params_cleanup_event_hooks"
            },
            "deprecated": false,
            "digest": {
                "length": 256.0,
                "function_hash": "98655819266630667514097493842815865327"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@91cfe0bbaa1c434d4271eb6e1d7aaa1fe8d121f6"
        },
        {
            "id": "CVE-2023-52866-fa65c5fb",
            "signature_type": "Line",
            "target": {
                "file": "drivers/hid/hid-uclogic-params-test.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "278166146951277741992644159327682077874",
                    "138157147121090029818286577929164134466",
                    "326208969962756257268766541073562917508",
                    "213733217767210112705282364953724831390",
                    "118572630862526321542127791537977089614",
                    "210057685842165474624562187576338759217",
                    "280952668646771165116548675049076093048",
                    "169349716604729252543207162095947963025"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@91cfe0bbaa1c434d4271eb6e1d7aaa1fe8d121f6"
        }
    ]
}

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.5.12

Type: ECOSYSTEM
Events: Introduced

6.6.0

Fixed

6.6.2