From: Kalle Valo <kvalo@kernel.org>
To: Zheng Wang <zyytlz.wz@163.com>
Cc: aspriel@gmail.com, franky.lin@broadcom.com,
hante.meuleman@broadcom.com, johannes.berg@intel.com,
marcan@marcan.st, linus.walleij@linaro.org,
jisoo.jang@yonsei.ac.kr, linuxlovemin@yonsei.ac.kr,
wataru.gohda@cypress.com, linux-wireless@vger.kernel.org,
brcm80211-dev-list.pdl@broadcom.com,
arend.vanspriel@broadcom.com, SHA-cyfmac-dev-list@infineon.com,
linux-kernel@vger.kernel.org, security@kernel.org,
stable@vger.kernel.org, hackerzheng666@gmail.com
Subject: Re: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
Date: Mon, 06 Nov 2023 16:41:45 +0200 [thread overview]
Message-ID: <87o7g7ueom.fsf@kernel.org> (raw)
In-Reply-To: <20231106141704.866455-1-zyytlz.wz@163.com> (Zheng Wang's message of "Mon, 6 Nov 2023 22:17:04 +0800")
Zheng Wang <zyytlz.wz@163.com> writes:
> This is the candidate patch of CVE-2023-47233 :
> https://nvd.nist.gov/vuln/detail/CVE-2023-47233
>
> In brcm80211 driver,it starts with the following invoking chain
> to start init a timeout worker:
>
> ->brcmf_usb_probe
> ->brcmf_usb_probe_cb
> ->brcmf_attach
> ->brcmf_bus_started
> ->brcmf_cfg80211_attach
> ->wl_init_priv
> ->brcmf_init_escan
> ->INIT_WORK(&cfg->escan_timeout_work,
> brcmf_cfg80211_escan_timeout_worker);
>
> If we disconnect the USB by hotplug, it will call
> brcmf_usb_disconnect to make cleanup. The invoking chain is :
>
> brcmf_usb_disconnect
> ->brcmf_usb_disconnect_cb
> ->brcmf_detach
> ->brcmf_cfg80211_detach
> ->kfree(cfg);
>
> While the timeout woker may still be running. This will cause
> a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.
>
> Fix it by deleting the timer and canceling the worker in
> brcmf_cfg80211_detach.
>
> Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> Cc: stable@vger.kernel.org
> ---
> v5:
> - replace del_timer_sync with timer_shutdown_sync suggested by
> Arend and Takashi
> v4:
> - rename the subject and add CVE number as Ping-Ke Shih suggested
> v3:
> - rename the subject as Johannes suggested
> v2:
> - fix the error of kernel test bot reported
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index 667462369a32..a8723a61c9e4 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -8431,6 +8431,8 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg)
> if (!cfg)
> return;
>
> + timer_shutdown_sync(&cfg->escan_timeout);
> + cancel_work_sync(&cfg->escan_timeout_work);
> brcmf_pno_detach(cfg);
> brcmf_btcoex_detach(cfg);
> wiphy_unregister(cfg->wiphy);
Has anyone tested this on a real device? As v1 didn't even compile I am
very cautious:
https://patchwork.kernel.org/project/linux-wireless/patch/20231104054709.716585-1-zyytlz.wz@163.com/
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2023-11-06 14:41 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 14:17 [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach Zheng Wang
2023-11-06 14:41 ` Kalle Valo [this message]
2023-11-06 14:44 ` Zheng Hacker
2023-11-06 15:48 ` Arend Van Spriel
2023-11-08 3:03 ` Zheng Hacker
2023-11-13 9:18 ` Arend van Spriel
2023-11-13 12:11 ` Kalle Valo
2023-11-15 15:00 ` Zheng Hacker
2023-11-16 18:20 ` Arend Van Spriel
2023-11-16 18:25 ` Takashi Iwai
2023-11-16 19:02 ` Arend Van Spriel
2023-11-17 2:31 ` Zheng Hacker
2023-11-17 6:24 ` Arend Van Spriel
2023-12-12 13:48 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o7g7ueom.fsf@kernel.org \
--to=kvalo@kernel.org \
--cc=SHA-cyfmac-dev-list@infineon.com \
--cc=arend.vanspriel@broadcom.com \
--cc=aspriel@gmail.com \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=franky.lin@broadcom.com \
--cc=hackerzheng666@gmail.com \
--cc=hante.meuleman@broadcom.com \
--cc=jisoo.jang@yonsei.ac.kr \
--cc=johannes.berg@intel.com \
--cc=linus.walleij@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linuxlovemin@yonsei.ac.kr \
--cc=marcan@marcan.st \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
--cc=wataru.gohda@cypress.com \
--cc=zyytlz.wz@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.