一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：2024-02-29 14:15

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：2024-02-29 14:15

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：2024-02-29 14:15

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

9.openEuler-24.03-LTS:

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

9.openEuler-24.03-LTS:

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：2024-02-29 14:15

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

9.openEuler-24.03-LTS:

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

9.openEuler-24.03-LTS:

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---

漏洞公开时间：2024-02-29 14:15

漏洞创建时间：2024-02-29 14:40:12

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>

无

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

9.openEuler-24.03-LTS:

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

9.openEuler-24.03-LTS:

一、漏洞信息

漏洞编号：[CVE-2023-52478](https://nvd.nist.gov/vuln/detail/CVE-2023-52478)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞简述：

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-52478

<details>

<summary>更多参考(点击展开)</summary>