From patchwork Sun Jan 7 07:25:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arend Van Spriel X-Patchwork-Id: 760751 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CEC112B69 for ; Sun, 7 Jan 2024 07:25:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="V/o3WJQF" Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-3368b9bbeb4so1014243f8f.2 for ; Sat, 06 Jan 2024 23:25:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1704612311; x=1705217111; darn=vger.kernel.org; h=mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=trPBsTgcB+4AgMZIWaHu0Fsswd8+qhoQazvyV2B1Fa8=; b=V/o3WJQFPxn3WfZ93TQ0oyhhb7UK2ocpdINPCLnREeKmWAe6gDkyHHHurezus2uRp8 sQ75uDah3I+ixJ7isz5GeMEEEmC+oVHxHnVD+9BjSpeerjkaF4TEhRlY5aWvMM+UGR+8 R6tSx5jaRoD3J429VsF2SBmCki6F6uDWbBv70= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704612311; x=1705217111; h=mime-version:message-id:date:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=trPBsTgcB+4AgMZIWaHu0Fsswd8+qhoQazvyV2B1Fa8=; b=nHNdx5tUTlWFWUMtCc/NXwd0dG9kmmdg+/w41Dec8LJxzlCoGA7qgB7ymsd2eIICL1 xeHVnwa1eoyY9lBWGz6wARUA8bIZ1pFSsCcstZO5KJluAxdSnzYHBrljcu4saiwIweS3 K89lgvgIbkFVqRP81Gvw9u3PhiKCn6EXqDXm/WFatOy+1Ad9M32Jwk6fqKO5bz/o4M7K p7ApSHNH6lz0w5/QugU5/UodDh+QuQ6xwA90YG+UNw3HcGq65bEJaQxLNrmDTE3XghF7 z2sTqkbkI4LXz/xwysdu38FDnHfJYVOrF3mmyXn/T73idOf489LevN3ERb80eZvRIWZQ NV1A== X-Gm-Message-State: AOJu0Yz/IdeX0g3Irz+GollfrdMVpeX+7ko4LGSpQEgvSL6KHoZ/0ztU 12bYRca62mGT2fFQYJq0Q5Kyj+sfjxV6 X-Google-Smtp-Source: AGHT+IHSEo6wnTdgbt3sAaRe/uZTu6e7crDCMz8NmCt2CISDKUJwTgykYv5j5tb0+6Q3uiFWiiaPZg== X-Received: by 2002:adf:efc9:0:b0:337:68a7:5272 with SMTP id i9-20020adfefc9000000b0033768a75272mr111337wrp.23.1704612310696; Sat, 06 Jan 2024 23:25:10 -0800 (PST) Received: from bld-bun-02.bun.broadcom.net ([192.19.148.250]) by smtp.gmail.com with ESMTPSA id l15-20020a5d410f000000b00336e43e8e57sm4714647wrp.58.2024.01.06.23.25.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 06 Jan 2024 23:25:09 -0800 (PST) From: Arend van Spriel To: Kalle Valo Cc: linux-wireless@vger.kernel.org, Zheng Wang , stable@vger.kernel.org, Arend van Spriel Subject: [PATCH V6] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach Date: Sun, 7 Jan 2024 08:25:04 +0100 Message-Id: <20240107072504.392713-1-arend.vanspriel@broadcom.com> X-Mailer: git-send-email 2.32.0 Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Zheng Wang This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.") Signed-off-by: Zheng Wang Cc: stable@vger.kernel.org [arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free] Signed-off-by: Arend van Spriel --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) base-commit: 3aca362a4c1411ec11ff04f81b6cdf2359fee962 diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c index 133c5ea6429c..52df03243c9f 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -1179,8 +1179,7 @@ s32 brcmf_notify_escan_complete(struct brcmf_cfg80211_info *cfg, scan_request = cfg->scan_request; cfg->scan_request = NULL; - if (timer_pending(&cfg->escan_timeout)) - del_timer_sync(&cfg->escan_timeout); + timer_delete_sync(&cfg->escan_timeout); if (fw_abort) { /* Do a scan abort to stop the driver's scan engine */ @@ -8435,6 +8434,7 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg) brcmf_btcoex_detach(cfg); wiphy_unregister(cfg->wiphy); wl_deinit_priv(cfg); + cancel_work_sync(&cfg->escan_timeout_work); brcmf_free_wiphy(cfg->wiphy); kfree(cfg); }