| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMVG2stHA9qSUiRFBW=-4jhSMk-o7Frext+Qf9JK3Fo822XHhw@mail.gmail.com>
Date: Mon, 6 Mar 2017 15:14:04 +0800
From: Daniel J Blueman <daniel@...ra.org>
To: Hante Meuleman <hante.meuleman@...adcom.com>,
Arend Van Spriel <arend.vanspriel@...adcom.com>,
Pieter-Paul Giesberts <pieterpg@...adcom.com>
Cc: Netdev <netdev@...r.kernel.org>, David Miller <davem@...emloft.net>
Subject: [PATCH] 4.9.13 brcmfmac: fix use-after-free on resume
KASAN reported 'struct wireless_dev wdev' was read after being freed.
Fix by freeing after the access.
Signed-off-by: Daniel J Blueman <daniel@...ra.org>
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
index de19c7c..aa0f470 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
@@ -2288,12 +2288,13 @@ int brcmf_p2p_del_vif(struct wiphy *wiphy,
struct wireless_dev *wdev)
else
err = 0;
}
- brcmf_remove_interface(vif->ifp, true);
- brcmf_cfg80211_arm_vif_event(cfg, NULL);
if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE)
p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif = NULL;
+ brcmf_remove_interface(vif->ifp, true);
+ brcmf_cfg80211_arm_vif_event(cfg, NULL);
+
return err;
}
--
Daniel J Blueman
Powered by blists - more mailing lists