CVE-2023-53703
Description
In the Linux kernel, the following vulnerability has been resolved:
HID: amd_sfh: Fix for shift-out-of-bounds
Shift operation of 'exp' and 'shift' variables exceeds the maximum number of shift values in the u32 range leading to UBSAN shift-out-of-bounds.
... [ 6.120512] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50 [ 6.120598] shift exponent 104 is too large for 64-bit type 'long unsigned int' [ 6.120659] CPU: 4 PID: 96 Comm: kworker/4:1 Not tainted 6.4.0amd_1-next-20230519-dirty #10 [ 6.120665] Hardware name: AMD Birman-PHX/Birman-PHX, BIOS SFH_with_HPD_SEN.FD 04/05/2023 [ 6.120667] Workqueue: events amd_sfh_work_buffer [amd_sfh] [ 6.120687] Call Trace: [ 6.120690] [ 6.120694] dump_stack_lvl+0x48/0x70 [ 6.120704] dump_stack+0x10/0x20 [ 6.120707] ubsan_epilogue+0x9/0x40 [ 6.120716] __ubsan_handle_shift_out_of_bounds+0x10f/0x170 [ 6.120720] ? psi_group_change+0x25f/0x4b0 [ 6.120729] float_to_int.cold+0x18/0xba [amd_sfh] [ 6.120739] get_input_rep+0x57/0x340 [amd_sfh] [ 6.120748] ? __schedule+0xba7/0x1b60 [ 6.120756] ? __pfx_get_input_rep+0x10/0x10 [amd_sfh] [ 6.120764] amd_sfh_work_buffer+0x91/0x180 [amd_sfh] [ 6.120772] process_one_work+0x229/0x430 [ 6.120780] worker_thread+0x4a/0x3c0 [ 6.120784] ? __pfx_worker_thread+0x10/0x10 [ 6.120788] kthread+0xf7/0x130 [ 6.120792] ? __pfx_kthread+0x10/0x10 [ 6.120795] ret_from_fork+0x29/0x50 [ 6.120804] ...
Fix this by adding the condition to validate shift ranges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A shift-out-of-bounds vulnerability in the AMD SFH HID driver can cause a system crash via UBSAN, fixed by validating shift ranges.
Root
Cause In the Linux kernel's AMD SFH (Sensor Fusion Hub) driver, the function float_to_int() in amd_sfh_desc.c performs bit-shift operations using exp and shift values derived from sensor data without proper validation. As shown in the crash trace [1], a shift exponent of 104 exceeds the maximum allowed for a 64-bit type, triggering a UBSAN shift-out-of-bounds error. This occurs when the driver processes input reports from the sensor hardware.
Exploitation
An attacker with physical or local access could potentially trigger this condition by connecting a malicious or malformed AMD SFH sensor device, or by manipulating sensor data in a way that causes the driver to compute out-of-range shift values. No special privileges are required to trigger the vulnerable code path, as it runs in the context of a kernel workqueue (amd_sfh_work_buffer) during normal sensor data handling [1].
Impact
The vulnerability causes a kernel panic or system crash due to the UBSAN handler, leading to a denial of service (DoS). The crash trace explicitly shows the system halting with a UBSAN warning and a call trace ending in float_to_int.cold [1]. While no privilege escalation or data corruption is indicated, the instability could disrupt system availability.
Mitigation
The fix adds a condition to validate the shift range before performing the operation, preventing the out-of-bounds shift. The patch was committed to the stable kernel tree and is included in subsequent releases [1]. Users should update their kernel to a version containing this fix (e.g., 6.4 or later). No workaround is available for unpatched systems.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
35a45ed1ae34b1e50bc2c177d878543661764Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.