| Message ID | 20231106043957.815407-1-zyytlz.wz@163.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | [v3] brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach | expand |
This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 Appreciate the review and suggestions. Zheng Wang <zyytlz.wz@163.com> 于2023年11月6日周一 12:42写道: > > In brcm80211 driver,it starts with the following invoking chain > to start init a timeout worker: > > ->brcmf_usb_probe > ->brcmf_usb_probe_cb > ->brcmf_attach > ->brcmf_bus_started > ->brcmf_cfg80211_attach > ->wl_init_priv > ->brcmf_init_escan > ->INIT_WORK(&cfg->escan_timeout_work, > brcmf_cfg80211_escan_timeout_worker); > > If we disconnect the USB by hotplug, it will call > brcmf_usb_disconnect to make cleanup. The invoking chain is : > > brcmf_usb_disconnect > ->brcmf_usb_disconnect_cb > ->brcmf_detach > ->brcmf_cfg80211_detach > ->kfree(cfg); > > While the timeout woker may still be running. This will cause > a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. > > Fix it by deleting the timer and canceling the worker in > brcmf_cfg80211_detach. > > Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.") > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Cc: stable@vger.kernel.org > --- > v3: > - rename the subject as Johannes suggested > v2: > - fix the error of kernel test bot reported > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > index 667462369a32..646ec8bdf512 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > @@ -8431,6 +8431,9 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg) > if (!cfg) > return; > > + if (timer_pending(&cfg->escan_timeout)) > + del_timer_sync(&cfg->escan_timeout); > + cancel_work_sync(&cfg->escan_timeout_work); > brcmf_pno_detach(cfg); > brcmf_btcoex_detach(cfg); > wiphy_unregister(cfg->wiphy); > -- > 2.25.1 >
> -----Original Message----- > From: Zheng Hacker <hackerzheng666@gmail.com> > Sent: Monday, November 6, 2023 1:16 PM > To: Zheng Wang <zyytlz.wz@163.com> > Cc: aspriel@gmail.com; franky.lin@broadcom.com; hante.meuleman@broadcom.com; kvalo@kernel.org; > johannes.berg@intel.com; marcan@marcan.st; linus.walleij@linaro.org; jisoo.jang@yonsei.ac.kr; > linuxlovemin@yonsei.ac.kr; wataru.gohda@cypress.com; linux-wireless@vger.kernel.org; > brcm80211-dev-list.pdl@broadcom.com; SHA-cyfmac-dev-list@infineon.com; linux-kernel@vger.kernel.org; > security@kernel.org; stable@vger.kernel.org > Subject: Re: [PATCH v3] brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach subject prefix "wif: brcmfmac: ..." Try "git log --oneline drivers/net/wireless/broadcom/brcm80211/brcmfmac" to know that. > > This is the candidate patch of CVE-2023-47233 : > https://nvd.nist.gov/vuln/detail/CVE-2023-47233 I think you can add this link to commit message as well.
Ping-Ke Shih <pkshih@realtek.com> 于2023年11月6日周一 14:43写道: > > > > > -----Original Message----- > > From: Zheng Hacker <hackerzheng666@gmail.com> > > Sent: Monday, November 6, 2023 1:16 PM > > To: Zheng Wang <zyytlz.wz@163.com> > > Cc: aspriel@gmail.com; franky.lin@broadcom.com; hante.meuleman@broadcom.com; kvalo@kernel.org; > > johannes.berg@intel.com; marcan@marcan.st; linus.walleij@linaro.org; jisoo.jang@yonsei.ac.kr; > > linuxlovemin@yonsei.ac.kr; wataru.gohda@cypress.com; linux-wireless@vger.kernel.org; > > brcm80211-dev-list.pdl@broadcom.com; SHA-cyfmac-dev-list@infineon.com; linux-kernel@vger.kernel.org; > > security@kernel.org; stable@vger.kernel.org > > Subject: Re: [PATCH v3] brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach > > subject prefix "wif: brcmfmac: ..." > Try "git log --oneline drivers/net/wireless/broadcom/brcm80211/brcmfmac" to know that. > Get it! Thanks for your kind reminder. > > > > This is the candidate patch of CVE-2023-47233 : > > https://nvd.nist.gov/vuln/detail/CVE-2023-47233 > > I think you can add this link to commit message as well. > > Will apply your suggestion in the next version. Best regrads, Zheng
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c index 667462369a32..646ec8bdf512 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -8431,6 +8431,9 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg) if (!cfg) return; + if (timer_pending(&cfg->escan_timeout)) + del_timer_sync(&cfg->escan_timeout); + cancel_work_sync(&cfg->escan_timeout_work); brcmf_pno_detach(cfg); brcmf_btcoex_detach(cfg); wiphy_unregister(cfg->wiphy);
In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> Cc: stable@vger.kernel.org --- v3: - rename the subject as Johannes suggested v2: - fix the error of kernel test bot reported --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++ 1 file changed, 3 insertions(+)