| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJedcCxoDVS-7jVwLvsWOWiv0aObyYBiG-GmqX4bq+Qp+i3iTw@mail.gmail.com>
Date: Mon, 6 Nov 2023 13:16:26 +0800
From: Zheng Hacker <hackerzheng666@...il.com>
To: Zheng Wang <zyytlz.wz@....com>
Cc: aspriel@...il.com, franky.lin@...adcom.com,
hante.meuleman@...adcom.com, kvalo@...nel.org,
johannes.berg@...el.com, marcan@...can.st,
linus.walleij@...aro.org, jisoo.jang@...sei.ac.kr,
linuxlovemin@...sei.ac.kr, wataru.gohda@...ress.com,
linux-wireless@...r.kernel.org,
brcm80211-dev-list.pdl@...adcom.com,
SHA-cyfmac-dev-list@...ineon.com, linux-kernel@...r.kernel.org,
security@...nel.org, stable@...r.kernel.org
Subject: Re: [PATCH v3] brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
This is the candidate patch of CVE-2023-47233 :
https://nvd.nist.gov/vuln/detail/CVE-2023-47233
Appreciate the review and suggestions.
Zheng Wang <zyytlz.wz@....com> 于2023年11月6日周一 12:42写道:
>
> In brcm80211 driver,it starts with the following invoking chain
> to start init a timeout worker:
>
> ->brcmf_usb_probe
> ->brcmf_usb_probe_cb
> ->brcmf_attach
> ->brcmf_bus_started
> ->brcmf_cfg80211_attach
> ->wl_init_priv
> ->brcmf_init_escan
> ->INIT_WORK(&cfg->escan_timeout_work,
> brcmf_cfg80211_escan_timeout_worker);
>
> If we disconnect the USB by hotplug, it will call
> brcmf_usb_disconnect to make cleanup. The invoking chain is :
>
> brcmf_usb_disconnect
> ->brcmf_usb_disconnect_cb
> ->brcmf_detach
> ->brcmf_cfg80211_detach
> ->kfree(cfg);
>
> While the timeout woker may still be running. This will cause
> a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.
>
> Fix it by deleting the timer and canceling the worker in
> brcmf_cfg80211_detach.
>
> Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
> Signed-off-by: Zheng Wang <zyytlz.wz@....com>
> Cc: stable@...r.kernel.org
> ---
> v3:
> - rename the subject as Johannes suggested
> v2:
> - fix the error of kernel test bot reported
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index 667462369a32..646ec8bdf512 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -8431,6 +8431,9 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg)
> if (!cfg)
> return;
>
> + if (timer_pending(&cfg->escan_timeout))
> + del_timer_sync(&cfg->escan_timeout);
> + cancel_work_sync(&cfg->escan_timeout_work);
> brcmf_pno_detach(cfg);
> brcmf_btcoex_detach(cfg);
> wiphy_unregister(cfg->wiphy);
> --
> 2.25.1
>
Powered by blists - more mailing lists