lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <18bdbf3c560.279b.9b12b7fc0a3841636cfb5e919b41b954@broadcom.com>
Date:   Fri, 17 Nov 2023 07:24:28 +0100
From:   Arend Van Spriel <arend.vanspriel@...adcom.com>
To:     Zheng Hacker <hackerzheng666@...il.com>,
        Takashi Iwai <tiwai@...e.de>
CC:     Kalle Valo <kvalo@...nel.org>, Zheng Wang <zyytlz.wz@....com>,
        <aspriel@...il.com>, <franky.lin@...adcom.com>,
        <hante.meuleman@...adcom.com>, <johannes.berg@...el.com>,
        <marcan@...can.st>, <linus.walleij@...aro.org>,
        <jisoo.jang@...sei.ac.kr>, <linuxlovemin@...sei.ac.kr>,
        <wataru.gohda@...ress.com>, <linux-wireless@...r.kernel.org>,
        <brcm80211-dev-list.pdl@...adcom.com>,
        <SHA-cyfmac-dev-list@...ineon.com>, <linux-kernel@...r.kernel.org>,
        <security@...nel.org>, <stable@...r.kernel.org>
Subject: Re: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

On November 17, 2023 3:31:40 AM Zheng Hacker <hackerzheng666@...il.com> wrote:

> Yes, that makes this issue hard to fix. I was wondering why it binds the
> worker with the timer rather than using just one of them.

No top posting please!

The timer context is softirq and worker is thread context. The ability to 
sleep is the big difference between the two or at least the reason for 
using them here.

Regards,
Arend

>
> Takashi Iwai <tiwai@...e.de> 于2023年11月17日周五 02:25写道:
>>
>> On Thu, 16 Nov 2023 19:20:06 +0100,
>> Arend Van Spriel wrote:
>>>
>>> On November 15, 2023 4:00:46 PM Zheng Hacker <hackerzheng666@...il.com> wrote:
>>>
>>>> Arend van Spriel <arend.vanspriel@...adcom.com> 于2023年11月13日周一 17:18写道:
>>>>>
>>>>> On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@...il.com>
>>>>> wrote:
>>>>>
>>>>>> Arend Van Spriel <arend.vanspriel@...adcom.com> 于2023年11月6日周一 23:48写道:
>>>>>>>
>>>>>>> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@...il.com> wrote:
>>>>>>>
>>>>>>>> Thanks! I didn't test it for I don't have a device. Very appreciated
>>>>>>>> if anyone could help with that.
>>>>>>>
>>>>>>> I would volunteer, but it made me dig deep and not sure if there is a
>>>>>>> problem to solve here.
>>>>>>>
>>>>>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() ->
>>>>>>> brcmf_notify_escan_complete() which does delete the timer.
>>>>>>>
>>>>>>> What am I missing here?
>>>>>>
>>>>>> Thanks four your detailed review. I did see the code and not sure if
>>>>>> brcmf_notify_escan_complete
>>>>>> would be triggered for sure. So in the first version I want to delete
>>>>>> the pending timer ahead of time.
>>>>>
>>>>> Why requesting a CVE when you are not sure? Seems a bit hasty to put it
>>>>> mildly.
>>>>
>>>> I'm sure the issue exists because there's only cancler of timer but not woker.
>>>> As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218,
>>>> I submit it as soon as I found it.
>>>
>>> Ah, yes. The cancel_work_sync() can also be done in
>>> brcmf_notify_escan_complete().
>>
>> AFAIUC, brcmf_notify_scan_complete() is called from the work itself,
>> too, hence you can't issue cancel_work_sync() there (unless you make
>> it conditional).
>>
>>
>> Takashi




Download attachment "smime.p7s" of type "application/pkcs7-signature" (4219 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ