2023-11-06 07:32:51

by Zheng Wang

[permalink] [raw]
Subject: [PATCH v4] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

This is the candidate patch of CVE-2023-47233 :
https://nvd.nist.gov/vuln/detail/CVE-2023-47233

In brcm80211 driver,it starts with the following invoking chain
to start init a timeout worker:

->brcmf_usb_probe
->brcmf_usb_probe_cb
->brcmf_attach
->brcmf_bus_started
->brcmf_cfg80211_attach
->wl_init_priv
->brcmf_init_escan
->INIT_WORK(&cfg->escan_timeout_work,
brcmf_cfg80211_escan_timeout_worker);

If we disconnect the USB by hotplug, it will call
brcmf_usb_disconnect to make cleanup. The invoking chain is :

brcmf_usb_disconnect
->brcmf_usb_disconnect_cb
->brcmf_detach
->brcmf_cfg80211_detach
->kfree(cfg);

While the timeout woker may still be running. This will cause
a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.

Fix it by deleting the timer and canceling the worker in
brcmf_cfg80211_detach.

Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
Signed-off-by: Zheng Wang <[email protected]>
Cc: [email protected]
---
v4:
- rename the subject and add CVE number as Ping-Ke Shih suggested
v3:
- rename the subject as Johannes suggested
v2:
- fix the error of kernel test bot reported
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 667462369a32..646ec8bdf512 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -8431,6 +8431,9 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg)
if (!cfg)
return;

+ if (timer_pending(&cfg->escan_timeout))
+ del_timer_sync(&cfg->escan_timeout);
+ cancel_work_sync(&cfg->escan_timeout_work);
brcmf_pno_detach(cfg);
brcmf_btcoex_detach(cfg);
wiphy_unregister(cfg->wiphy);
--
2.25.1


2023-11-06 10:14:43

by Arend Van Spriel

[permalink] [raw]
Subject: Re: [PATCH v4] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

On 11/6/2023 8:30 AM, Zheng Wang wrote:
> This is the candidate patch of CVE-2023-47233 :
> https://nvd.nist.gov/vuln/detail/CVE-2023-47233

[...]

> Fix it by deleting the timer and canceling the worker in
> brcmf_cfg80211_detach.
>
> Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
Reviewed-by: Arend van Spriel <[email protected]>
> Signed-off-by: Zheng Wang <[email protected]>
> Cc: [email protected]
> ---
> v4:
> - rename the subject and add CVE number as Ping-Ke Shih suggested
> v3:
> - rename the subject as Johannes suggested
> v2:
> - fix the error of kernel test bot reported
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index 667462369a32..646ec8bdf512 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -8431,6 +8431,9 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg)
> if (!cfg)
> return;
>
> + if (timer_pending(&cfg->escan_timeout))
> + del_timer_sync(&cfg->escan_timeout);

del_timer_sync() is kept for legacy. Use timer_delete_sync() instead
[1]. Also checking timer_pending() before deletion is useless looking at
the return values from timer_delete_sync():

* Return:
* * %0 - The timer was not pending
* * %1 - The timer was pending and deactivated

[1]
https://elixir.bootlin.com/linux/latest/source/include/linux/timer.h#L190
> + cancel_work_sync(&cfg->escan_timeout_work);
> brcmf_pno_detach(cfg);
> brcmf_btcoex_detach(cfg);
> wiphy_unregister(cfg->wiphy);


Attachments:
smime.p7s (4.12 kB)
S/MIME Cryptographic Signature