Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers/net
History
Zheng Wang c82abfa57d wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach 
[ Upstream commit 0f7352557a35ab7888bc7831411ec8a3cbe20d78 ]

This is the candidate patch of CVE-2023-47233 :
https://nvd.nist.gov/vuln/detail/CVE-2023-47233

In brcm80211 driver,it starts with the following invoking chain
to start init a timeout worker:

->brcmf_usb_probe
  ->brcmf_usb_probe_cb
    ->brcmf_attach
      ->brcmf_bus_started
        ->brcmf_cfg80211_attach
          ->wl_init_priv
            ->brcmf_init_escan
              ->INIT_WORK(&cfg->escan_timeout_work,
		  brcmf_cfg80211_escan_timeout_worker);

If we disconnect the USB by hotplug, it will call
brcmf_usb_disconnect to make cleanup. The invoking chain is :

brcmf_usb_disconnect
  ->brcmf_usb_disconnect_cb
    ->brcmf_detach
      ->brcmf_cfg80211_detach
        ->kfree(cfg);

While the timeout woker may still be running. This will cause
a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.

Fix it by deleting the timer and canceling the worker in
brcmf_cfg80211_detach.

Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Cc: stable@vger.kernel.org
[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20240107072504.392713-1-arend.vanspriel@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-19 09:22:14 +01:00
..
appletalk
arcnet arcnet: restoring support for multiple Sohard Arcnet cards 2024-11-18 12:11:39 +01:00
bonding bonding: remove print in bond_verify_device_path 2024-11-18 12:13:23 +01:00
caif
can
dropdump
dsa net: dsa: mt7530: prevent possible incorrect XTAL frequency selection 2024-11-19 08:44:59 +01:00
ethernet octeontx2-af: Use separate handlers for interrupts 2024-11-19 08:44:59 +01:00
fddi
fjes fjes: fix memleaks in fjes_hw_setup 2024-11-18 12:13:01 +01:00
hamradio
hippi
hyperv hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed 2024-11-18 23:19:52 +01:00
ieee802154
ipa
ipvlan ipvlan: add ipvlan_route_v6_outbound() helper 2024-11-18 11:43:19 +01:00
mdio
netdevsim
pcs
phy net: phy: dp83822: Fix RGMII TX delay configuration 2024-11-19 08:44:49 +01:00
plip
ppp ppp_async: limit MRU to 64K 2024-11-18 12:13:25 +01:00
slip
team team: Fix use-after-free when an option instance allocation fails 2024-11-18 12:11:57 +01:00
usb sr9800: Add check for usbnet_get_endpoints 2024-11-19 08:44:48 +01:00
vmxnet3
vxlan
wan
wimax
wireguard wireguard: receive: annotate data-race around receiving_counter.counter 2024-11-19 08:44:59 +01:00
wireless wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach 2024-11-19 09:22:14 +01:00
xen-netback xen-netback: properly sync TX responses 2024-11-18 12:13:30 +01:00
bareudp.c
dummy.c
eql.c
geneve.c geneve: make sure to pull inner header in geneve_rx() 2024-11-18 23:19:34 +01:00
gtp.c gtp: fix use-after-free and null-ptr-deref in gtp_newlink() 2024-11-18 23:18:29 +01:00
ifb.c
Kconfig
LICENSE.SRC
loopback.c
macsec.c
macvlan.c macvlan: Don't propagate promisc change to lower dev in passthru 2024-11-18 11:43:20 +01:00
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c
thunderbolt.c
tun.c tun: Fix xdp_rxq_info's queue_index when detaching 2024-11-18 23:18:28 +01:00
veth.c
virtio_net.c virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings 2024-11-18 12:13:20 +01:00
vrf.c
vsockmon.c
xen-netfront.c