CVE-2022-48978 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
HID: core: fix shift-out-of-bounds in hid_report_raw_event
Syzbot reported shift-out-of-bounds in hid_report_raw_event.
microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0) ====================================================================== UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 shift exponent 127 is too large for 32-bit type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 snto32 drivers/hid/hid-core.c:1323 [inline]
hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
hid_process_report drivers/hid/hid-core.c:1665 [inline]
hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline]
__run_timers+0x76a/0x980 kernel/time/timer.c:1790 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 __do_softirq+0x277/0x75b kernel/softirq.c:571 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 ======================================================================
If the size of the integer (unsigned n) is bigger than 32 in snto32(), shift exponent will be too large for 32-bit type 'int', resulting in a shift-out-of-bounds bug. Fix this by adding a check on the size of the integer (unsigned n) in snto32(). To add support for n greater than 32 bits, set n to 32, if n is greater than 32.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability described in CVE-2022-48978 represents a critical shift-out-of-bounds condition within the Linux kernel's Human Interface Device (HID) subsystem, specifically in the hid_report_raw_event function. This flaw manifests when processing HID input reports from devices such as Microsoft's 0003:045E:07DA.0001 device, which is a Microsoft Xbox Wireless Controller. The issue occurs during the execution of the hid_field_extract function where the parameter n exceeds the maximum allowable value for a 32-bit integer, triggering a sanitizer error that indicates a shift exponent of 127 is too large for a 32-bit type 'int'. This represents a classic case of integer overflow leading to undefined behavior and potential exploitation.
The technical implementation of this vulnerability stems from the snto32() function in drivers/hid/hid-core.c at line 1323, where the function attempts to perform bit shifting operations on values that exceed the bounds of 32-bit integer arithmetic. When the unsigned integer n parameter surpasses 32 bits, the shift operation becomes invalid, causing the kernel's undefined behavior sanitizer to trigger an out-of-bounds error. This function is called through a chain of operations that begins with hid_report_raw_event, which processes raw HID reports from input devices, and continues through hid_input_fetch_field and hid_process_report functions. The call stack demonstrates the path through kernel components including usbhid driver and USB host controller drivers, indicating the vulnerability can be triggered through USB HID device input processing.
The operational impact of this vulnerability extends beyond simple kernel crashes, as it represents a potential vector for privilege escalation or denial of service attacks. According to the ATT&CK framework, this vulnerability could be leveraged for privilege escalation through kernel exploitation techniques, specifically targeting the kernel's memory management and input processing subsystems. The vulnerability's classification under CWE-129 indicates an improper validation of the upper bounds of an integer, while the shift-out-of-bounds condition aligns with CWE-195, which deals with signed to unsigned conversion issues. The fact that this was discovered through syzbot, an automated kernel fuzzer, demonstrates the sophisticated nature of modern vulnerability discovery techniques and the importance of continuous security testing in kernel code.
The mitigation strategy for this vulnerability involves implementing a bounds check within the snto32() function to prevent the execution of invalid shift operations when n exceeds 32 bits. The fix specifically requires setting n to 32 if it exceeds this value, effectively capping the maximum shift operation to prevent overflow conditions. This approach aligns with defensive programming principles and follows established kernel security practices for handling integer overflow conditions. The solution prevents the sanitizer from triggering while maintaining compatibility with legitimate HID device operations. This patch demonstrates the importance of input validation in kernel space code, particularly for parameters that control bit manipulation operations, and reflects the broader security principle of ensuring that all arithmetic operations remain within defined bounds to prevent exploitation through integer overflow vulnerabilities.