[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <18bdbf3c560.279b.9b12b7fc0a3841636cfb5e919b41b954@broadcom.com>
Date: Fri, 17 Nov 2023 07:24:28 +0100
From: Arend Van Spriel <arend.vanspriel@...adcom.com>
To: Zheng Hacker <hackerzheng666@...il.com>,
Takashi Iwai <tiwai@...e.de>
CC: Kalle Valo <kvalo@...nel.org>, Zheng Wang <zyytlz.wz@....com>,
<aspriel@...il.com>, <franky.lin@...adcom.com>,
<hante.meuleman@...adcom.com>, <johannes.berg@...el.com>,
<marcan@...can.st>, <linus.walleij@...aro.org>,
<jisoo.jang@...sei.ac.kr>, <linuxlovemin@...sei.ac.kr>,
<wataru.gohda@...ress.com>, <linux-wireless@...r.kernel.org>,
<brcm80211-dev-list.pdl@...adcom.com>,
<SHA-cyfmac-dev-list@...ineon.com>, <linux-kernel@...r.kernel.org>,
<security@...nel.org>, <stable@...r.kernel.org>
Subject: Re: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
On November 17, 2023 3:31:40 AM Zheng Hacker <hackerzheng666@...il.com> wrote:
> Yes, that makes this issue hard to fix. I was wondering why it binds the
> worker with the timer rather than using just one of them.
No top posting please!
The timer context is softirq and worker is thread context. The ability to
sleep is the big difference between the two or at least the reason for
using them here.
Regards,
Arend
>
> Takashi Iwai <tiwai@...e.de> 于2023年11月17日周五 02:25写道:
>>
>> On Thu, 16 Nov 2023 19:20:06 +0100,
>> Arend Van Spriel wrote:
>>>
>>> On November 15, 2023 4:00:46 PM Zheng Hacker <hackerzheng666@...il.com> wrote:
>>>
>>>> Arend van Spriel <arend.vanspriel@...adcom.com> 于2023年11月13日周一 17:18写道:
>>>>>
>>>>> On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@...il.com>
>>>>> wrote:
>>>>>
>>>>>> Arend Van Spriel <arend.vanspriel@...adcom.com> 于2023年11月6日周一 23:48写道:
>>>>>>>
>>>>>>> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@...il.com> wrote:
>>>>>>>
>>>>>>>> Thanks! I didn't test it for I don't have a device. Very appreciated
>>>>>>>> if anyone could help with that.
>>>>>>>
>>>>>>> I would volunteer, but it made me dig deep and not sure if there is a
>>>>>>> problem to solve here.
>>>>>>>
>>>>>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() ->
>>>>>>> brcmf_notify_escan_complete() which does delete the timer.
>>>>>>>
>>>>>>> What am I missing here?
>>>>>>
>>>>>> Thanks four your detailed review. I did see the code and not sure if
>>>>>> brcmf_notify_escan_complete
>>>>>> would be triggered for sure. So in the first version I want to delete
>>>>>> the pending timer ahead of time.
>>>>>
>>>>> Why requesting a CVE when you are not sure? Seems a bit hasty to put it
>>>>> mildly.
>>>>
>>>> I'm sure the issue exists because there's only cancler of timer but not woker.
>>>> As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218,
>>>> I submit it as soon as I found it.
>>>
>>> Ah, yes. The cancel_work_sync() can also be done in
>>> brcmf_notify_escan_complete().
>>
>> AFAIUC, brcmf_notify_scan_complete() is called from the work itself,
>> too, hence you can't issue cancel_work_sync() there (unless you make
>> it conditional).
>>
>>
>> Takashi
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4219 bytes)
Powered by blists - more mailing lists