[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024102118-CVE-2024-47712-13c2@gregkh>
Date: Mon, 21 Oct 2024 14:00:40 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-47712: wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param
In the `wilc_parse_join_bss_param` function, the TSF field of the `ies`
structure is accessed after the RCU read-side critical section is
unlocked. According to RCU usage rules, this is illegal. Reusing this
pointer can lead to unpredictable behavior, including accessing memory
that has been updated or causing use-after-free issues.
This possible bug was identified using a static analysis tool developed
by myself, specifically designed to detect RCU-related issues.
To address this, the TSF value is now stored in a local variable
`ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is
then assigned using this local variable, ensuring that the TSF value is
safely accessed.
The Linux kernel CVE team has assigned CVE-2024-47712 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.10.214 with commit b4bbf38c350a and fixed in 5.10.227 with commit 557418e17046
Issue introduced in 5.15.153 with commit d80fc436751c and fixed in 5.15.168 with commit bf090f4fe935
Issue introduced in 6.1.83 with commit 745003b5917b and fixed in 6.1.113 with commit b040b71d99ee
Issue introduced in 6.6.23 with commit 4bfd20d5f5c6 and fixed in 6.6.54 with commit 84398204c5df
Issue introduced in 6.9 with commit 205c50306acf and fixed in 6.10.13 with commit 2f944e6255c2
Issue introduced in 6.9 with commit 205c50306acf and fixed in 6.11.2 with commit 79510414a762
Issue introduced in 6.9 with commit 205c50306acf and fixed in 6.12-rc1 with commit 6d7c6ae1efb1
Issue introduced in 5.4.273 with commit e556006de4ea
Issue introduced in 6.7.11 with commit 5800ec78775c
Issue introduced in 6.8.2 with commit dd50d3ead6e3
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-47712
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/wireless/microchip/wilc1000/hif.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/557418e1704605a81c9e26732449f71b1d40ba1e
https://git.kernel.org/stable/c/bf090f4fe935294361eabd9dc5a949fdd77d3d1b
https://git.kernel.org/stable/c/b040b71d99ee5e17bb7a743dc01cbfcae8908ce1
https://git.kernel.org/stable/c/84398204c5df5aaf89453056cf0647cda9664d2b
https://git.kernel.org/stable/c/2f944e6255c2fc1c9bd9ee32f6b14ee0b2a51eb5
https://git.kernel.org/stable/c/79510414a7626317f13cc9073244ab7a8deb3192
https://git.kernel.org/stable/c/6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8
Powered by blists - more mailing lists