From: Kalle Valo <kvalo@kernel.org>
To: Arend van Spriel <arend.vanspriel@broadcom.com>
Cc: linux-wireless@vger.kernel.org, Zheng Wang <zyytlz.wz@163.com>,
stable@vger.kernel.org,
Arend van Spriel <arend.vanspriel@broadcom.com>
Subject: Re: [PATCH V6] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
Date: Thu, 18 Jan 2024 13:17:47 +0000 (UTC) [thread overview]
Message-ID: <170558386628.2924528.18082567611022970252.kvalo@kernel.org> (raw)
In-Reply-To: <20240107072504.392713-1-arend.vanspriel@broadcom.com>
Arend van Spriel <arend.vanspriel@broadcom.com> wrote:
> From: Zheng Wang <zyytlz.wz@163.com>
>
> This is the candidate patch of CVE-2023-47233 :
> https://nvd.nist.gov/vuln/detail/CVE-2023-47233
>
> In brcm80211 driver,it starts with the following invoking chain
> to start init a timeout worker:
>
> ->brcmf_usb_probe
> ->brcmf_usb_probe_cb
> ->brcmf_attach
> ->brcmf_bus_started
> ->brcmf_cfg80211_attach
> ->wl_init_priv
> ->brcmf_init_escan
> ->INIT_WORK(&cfg->escan_timeout_work,
> brcmf_cfg80211_escan_timeout_worker);
>
> If we disconnect the USB by hotplug, it will call
> brcmf_usb_disconnect to make cleanup. The invoking chain is :
>
> brcmf_usb_disconnect
> ->brcmf_usb_disconnect_cb
> ->brcmf_detach
> ->brcmf_cfg80211_detach
> ->kfree(cfg);
>
> While the timeout woker may still be running. This will cause
> a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.
>
> Fix it by deleting the timer and canceling the worker in
> brcmf_cfg80211_detach.
>
> Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> Cc: stable@vger.kernel.org
> [arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]
> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Patch applied to wireless-next.git, thanks.
0f7352557a35 wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
--
https://patchwork.kernel.org/project/linux-wireless/patch/20240107072504.392713-1-arend.vanspriel@broadcom.com/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
prev parent reply other threads:[~2024-01-18 13:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-07 7:25 [PATCH V6] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach Arend van Spriel
2024-01-18 13:17 ` Kalle Valo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=170558386628.2924528.18082567611022970252.kvalo@kernel.org \
--to=kvalo@kernel.org \
--cc=arend.vanspriel@broadcom.com \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zyytlz.wz@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.