{
  "threat_severity" : "Low",
  "public_date" : "2024-02-29T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect",
    "id" : "2267036",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2267036"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-362",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\nThis opens the following races (note the below code is simplified):\n1. Retrieving + printing the protocol (harmless race):\nif (!hidpp->protocol_major) {\nhidpp_root_get_protocol_version()\nhidpp->protocol_major = response.rap.params[0];\n}\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n2. Updating the name to the HIDPP name (harmless race):\nif (hidpp->name == hdev->name) {\n...\nhidpp->name = new_name;\n}\n3. Initializing the power_supply class for the battery (problematic!):\nhidpp_initialize_battery()\n{\nif (hidpp->battery.ps)\nreturn 0;\nprobe_battery(); /* Blocks, threads take turns executing this */\nhidpp->battery.desc.properties =\ndevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\nhidpp->battery.ps =\ndevm_power_supply_register(&hidpp->hid_dev->dev,\n&hidpp->battery.desc, cfg);\n}\n4. Creating delayed input_device (potentially problematic):\nif (hidpp->delayed_input)\nreturn;\nhidpp->delayed_input = hidpp_allocate_input(hdev);\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\nhidpp->battery.desc.properties =\ndevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\nhidpp->battery.ps =\ndevm_power_supply_register(&hidpp->hid_dev->dev,\n&hidpp->battery.desc, cfg);\n...\nhidpp->battery.desc.properties =\ndevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\nhidpp->battery.ps =\ndevm_power_supply_register(&hidpp->hid_dev->dev,\n&hidpp->battery.desc, cfg);\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace's pov but this is not even\nthe really big problem.\nNotice how:\n1. This is all devm-maganaged\n2. The hidpp->battery.desc struct is shared between the 2 power supplies\n3. hidpp->battery.desc.properties points to the result from the second\ndevm_kmemdup()\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\nhidpp->battery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\nthis involves sending a remove uevent to userspace which invokes\npower_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp->battery.desc.properties which\nnow points to freed memory leading to backtraces like this one:\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel:  ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel:  ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel:  dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel:  kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel:  \n---truncated---", "A flaw was found in the Linux kernel. This issue can cause a potential crash on the receiver USB disconnect." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7001",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7000",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.22.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-52478\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52478\nhttps://lore.kernel.org/linux-cve-announce/2024022921-CVE-2023-52478-c0a1@gregkh/T/#u" ],
  "name" : "CVE-2023-52478",
  "csaw" : false
}