lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAJedcCzj9SFbx-=xDymqJyV2fu0xjmz2RH4+gT+Gxsqubg35ZA@mail.gmail.com>
Date:   Wed, 15 Nov 2023 23:00:33 +0800
From:   Zheng Hacker <hackerzheng666@...il.com>
To:     Arend van Spriel <arend.vanspriel@...adcom.com>
Cc:     Kalle Valo <kvalo@...nel.org>, Zheng Wang <zyytlz.wz@....com>,
        aspriel@...il.com, franky.lin@...adcom.com,
        hante.meuleman@...adcom.com, johannes.berg@...el.com,
        marcan@...can.st, linus.walleij@...aro.org,
        jisoo.jang@...sei.ac.kr, linuxlovemin@...sei.ac.kr,
        wataru.gohda@...ress.com, linux-wireless@...r.kernel.org,
        brcm80211-dev-list.pdl@...adcom.com,
        SHA-cyfmac-dev-list@...ineon.com, linux-kernel@...r.kernel.org,
        security@...nel.org, stable@...r.kernel.org
Subject: Re: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

Arend van Spriel <arend.vanspriel@...adcom.com> 于2023年11月13日周一 17:18写道:
>
> On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@...il.com>
> wrote:
>
> > Arend Van Spriel <arend.vanspriel@...adcom.com> 于2023年11月6日周一 23:48写道:
> >>
> >> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@...il.com> wrote:
> >>
> >>> Thanks! I didn't test it for I don't have a device. Very appreciated
> >>> if anyone could help with that.
> >>
> >> I would volunteer, but it made me dig deep and not sure if there is a
> >> problem to solve here.
> >>
> >> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() ->
> >> brcmf_notify_escan_complete() which does delete the timer.
> >>
> >> What am I missing here?
> >
> > Thanks four your detailed review. I did see the code and not sure if
> > brcmf_notify_escan_complete
> > would be triggered for sure. So in the first version I want to delete
> > the pending timer ahead of time.
>
> Why requesting a CVE when you are not sure? Seems a bit hasty to put it
> mildly.

I'm sure the issue exists because there's only cancler of timer but not woker.
As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218,
I submit it as soon as I found it.

>
> > As I'm not very familiar with the logic here. I'm still not sure if we
> > should delete the timer_shutdown_sync.
> > Looking forward to your reply :)
>
> Reading the kerneldoc of timer_shutdown_sync() has the advantage that
> the timer can not be rearmed by another thread. However, that will only
> happen when a new scan is initiated in firmware, but the bus is already
> down so that can not happen. The only improvement (no bug fix!) I see
> here is to replace timer handling code in brcmf_notify_escan_complete():
>
> -       if (timer_pending(&cfg->escan_timeout))
> -               del_timer_sync(&cfg->escan_timeout);
> +       timer_delete_sync(&cfg->escan_timeout);
>

Very thanks for your reviews and suggestions! I thinks it's a good
idea. I'll make
another patch sooner or later.

Best regards,
Zheng

> Regards,
> Arend

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ