lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 16 Nov 2023 19:20:06 +0100
From:   Arend Van Spriel <arend.vanspriel@...adcom.com>
To:     Zheng Hacker <hackerzheng666@...il.com>
CC:     Kalle Valo <kvalo@...nel.org>, Zheng Wang <zyytlz.wz@....com>,
        <aspriel@...il.com>, <franky.lin@...adcom.com>,
        <hante.meuleman@...adcom.com>, <johannes.berg@...el.com>,
        <marcan@...can.st>, <linus.walleij@...aro.org>,
        <jisoo.jang@...sei.ac.kr>, <linuxlovemin@...sei.ac.kr>,
        <wataru.gohda@...ress.com>, <linux-wireless@...r.kernel.org>,
        <brcm80211-dev-list.pdl@...adcom.com>,
        <SHA-cyfmac-dev-list@...ineon.com>, <linux-kernel@...r.kernel.org>,
        <security@...nel.org>, <stable@...r.kernel.org>
Subject: Re: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

On November 15, 2023 4:00:46 PM Zheng Hacker <hackerzheng666@...il.com> wrote:

> Arend van Spriel <arend.vanspriel@...adcom.com> 于2023年11月13日周一 17:18写道:
>>
>> On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@...il.com>
>> wrote:
>>
>>> Arend Van Spriel <arend.vanspriel@...adcom.com> 于2023年11月6日周一 23:48写道:
>>>>
>>>> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@...il.com> wrote:
>>>>
>>>>> Thanks! I didn't test it for I don't have a device. Very appreciated
>>>>> if anyone could help with that.
>>>>
>>>> I would volunteer, but it made me dig deep and not sure if there is a
>>>> problem to solve here.
>>>>
>>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() ->
>>>> brcmf_notify_escan_complete() which does delete the timer.
>>>>
>>>> What am I missing here?
>>>
>>> Thanks four your detailed review. I did see the code and not sure if
>>> brcmf_notify_escan_complete
>>> would be triggered for sure. So in the first version I want to delete
>>> the pending timer ahead of time.
>>
>> Why requesting a CVE when you are not sure? Seems a bit hasty to put it
>> mildly.
>
> I'm sure the issue exists because there's only cancler of timer but not woker.
> As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218,
> I submit it as soon as I found it.

Ah, yes. The cancel_work_sync() can also be done in 
brcmf_notify_escan_complete().

Regards,
Arend



Download attachment "smime.p7s" of type "application/pkcs7-signature" (4219 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ