lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <18ba5520da0.279b.9b12b7fc0a3841636cfb5e919b41b954@broadcom.com>
Date:   Mon, 06 Nov 2023 16:48:20 +0100
From:   Arend Van Spriel <arend.vanspriel@...adcom.com>
To:     Zheng Hacker <hackerzheng666@...il.com>,
        Kalle Valo <kvalo@...nel.org>
CC:     Zheng Wang <zyytlz.wz@....com>, <aspriel@...il.com>,
        <franky.lin@...adcom.com>, <hante.meuleman@...adcom.com>,
        <johannes.berg@...el.com>, <marcan@...can.st>,
        <linus.walleij@...aro.org>, <jisoo.jang@...sei.ac.kr>,
        <linuxlovemin@...sei.ac.kr>, <wataru.gohda@...ress.com>,
        <linux-wireless@...r.kernel.org>,
        <brcm80211-dev-list.pdl@...adcom.com>,
        <SHA-cyfmac-dev-list@...ineon.com>, <linux-kernel@...r.kernel.org>,
        <security@...nel.org>, <stable@...r.kernel.org>
Subject: Re: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@...il.com> wrote:

> Thanks! I didn't test it for I don't have a device. Very appreciated
> if anyone could help with that.

I would volunteer, but it made me dig deep and not sure if there is a 
problem to solve here.

brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> 
brcmf_notify_escan_complete() which does delete the timer.

What am I missing here?

Regards,
Arend

>
> Kalle Valo <kvalo@...nel.org> 于2023年11月6日周一 22:41写道:
>>
>> Zheng Wang <zyytlz.wz@....com> writes:
>>
>>> This is the candidate patch of CVE-2023-47233 :
>>> https://nvd.nist.gov/vuln/detail/CVE-2023-47233
>>>
>>> In brcm80211 driver,it starts with the following invoking chain
>>> to start init a timeout worker:
>>>
>>> ->brcmf_usb_probe
>>> ->brcmf_usb_probe_cb
>>> ->brcmf_attach
>>> ->brcmf_bus_started
>>>  ->brcmf_cfg80211_attach
>>>    ->wl_init_priv
>>>      ->brcmf_init_escan
>>>        ->INIT_WORK(&cfg->escan_timeout_work,
>>>          brcmf_cfg80211_escan_timeout_worker);
>>>
>>> If we disconnect the USB by hotplug, it will call
>>> brcmf_usb_disconnect to make cleanup. The invoking chain is :
>>>
>>> brcmf_usb_disconnect
>>> ->brcmf_usb_disconnect_cb
>>> ->brcmf_detach
>>> ->brcmf_cfg80211_detach
>>>  ->kfree(cfg);
>>>
>>> While the timeout woker may still be running. This will cause
>>> a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.
>>>
>>> Fix it by deleting the timer and canceling the worker in
>>> brcmf_cfg80211_detach.
>>>
>>> Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
>>> Signed-off-by: Zheng Wang <zyytlz.wz@....com>
>>> Cc: stable@...r.kernel.org
>>> ---
>>> v5:
>>> - replace del_timer_sync with timer_shutdown_sync suggested by
>>> Arend and Takashi
>>> v4:
>>> - rename the subject and add CVE number as Ping-Ke Shih suggested
>>> v3:
>>> - rename the subject as Johannes suggested
>>> v2:
>>> - fix the error of kernel test bot reported
>>> ---
>>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c 
>>> b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
>>> index 667462369a32..a8723a61c9e4 100644
>>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
>>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
>>> @@ -8431,6 +8431,8 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info 
>>> *cfg)
>>> if (!cfg)
>>>        return;
>>>
>>> +     timer_shutdown_sync(&cfg->escan_timeout);
>>> +     cancel_work_sync(&cfg->escan_timeout_work);
>>> brcmf_pno_detach(cfg);
>>> brcmf_btcoex_detach(cfg);
>>> wiphy_unregister(cfg->wiphy);
>>
>> Has anyone tested this on a real device? As v1 didn't even compile I am
>> very cautious:
>>
>> https://patchwork.kernel.org/project/linux-wireless/patch/20231104054709.716585-1-zyytlz.wz@163.com/
>>
>> --
>> https://patchwork.kernel.org/project/linux-wireless/list/
>>
>> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches




Download attachment "smime.p7s" of type "application/pkcs7-signature" (4219 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ