lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 16 Nov 2023 19:25:10 +0100
From:   Takashi Iwai <tiwai@...e.de>
To:     Arend Van Spriel <arend.vanspriel@...adcom.com>
Cc:     Zheng Hacker <hackerzheng666@...il.com>,
        Kalle Valo <kvalo@...nel.org>, Zheng Wang <zyytlz.wz@....com>,
        <aspriel@...il.com>, <franky.lin@...adcom.com>,
        <hante.meuleman@...adcom.com>, <johannes.berg@...el.com>,
        <marcan@...can.st>, <linus.walleij@...aro.org>,
        <jisoo.jang@...sei.ac.kr>, <linuxlovemin@...sei.ac.kr>,
        <wataru.gohda@...ress.com>, <linux-wireless@...r.kernel.org>,
        <brcm80211-dev-list.pdl@...adcom.com>,
        <SHA-cyfmac-dev-list@...ineon.com>, <linux-kernel@...r.kernel.org>,
        <security@...nel.org>, <stable@...r.kernel.org>
Subject: Re: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

On Thu, 16 Nov 2023 19:20:06 +0100,
Arend Van Spriel wrote:
> 
> On November 15, 2023 4:00:46 PM Zheng Hacker <hackerzheng666@...il.com> wrote:
> 
> > Arend van Spriel <arend.vanspriel@...adcom.com> 于2023年11月13日周一 17:18写道:
> >> 
> >> On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@...il.com>
> >> wrote:
> >> 
> >>> Arend Van Spriel <arend.vanspriel@...adcom.com> 于2023年11月6日周一 23:48写道:
> >>>> 
> >>>> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@...il.com> wrote:
> >>>> 
> >>>>> Thanks! I didn't test it for I don't have a device. Very appreciated
> >>>>> if anyone could help with that.
> >>>> 
> >>>> I would volunteer, but it made me dig deep and not sure if there is a
> >>>> problem to solve here.
> >>>> 
> >>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() ->
> >>>> brcmf_notify_escan_complete() which does delete the timer.
> >>>> 
> >>>> What am I missing here?
> >>> 
> >>> Thanks four your detailed review. I did see the code and not sure if
> >>> brcmf_notify_escan_complete
> >>> would be triggered for sure. So in the first version I want to delete
> >>> the pending timer ahead of time.
> >> 
> >> Why requesting a CVE when you are not sure? Seems a bit hasty to put it
> >> mildly.
> > 
> > I'm sure the issue exists because there's only cancler of timer but not woker.
> > As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218,
> > I submit it as soon as I found it.
> 
> Ah, yes. The cancel_work_sync() can also be done in
> brcmf_notify_escan_complete().

AFAIUC, brcmf_notify_scan_complete() is called from the work itself,
too, hence you can't issue cancel_work_sync() there (unless you make
it conditional).


Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ