| Message ID | 20231106141704.866455-1-zyytlz.wz@163.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:8f47:0:b0:403:3b70:6f57 with SMTP id j7csp2688998vqu;
Mon, 6 Nov 2023 06:19:22 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IFAUuDZ6itE9KIhwMygEBKpi44NTxZP5p0Thfyurbx1AVn+q/zjBfyD/j3kaU6eYfE4EgdU
X-Received: by 2002:a05:6808:181e:b0:3ae:4cad:91a0 with SMTP id
bh30-20020a056808181e00b003ae4cad91a0mr39030618oib.6.1699280362526;
Mon, 06 Nov 2023 06:19:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1699280362; cv=none;
d=google.com; s=arc-20160816;
b=y6dcRw+4M+1KVDOWalaltfn+znNU8qqWrIx5UOjQNwm908JY7gPNigmubSVjYkQAjR
SlsS7Iu0Gk78b+o8e8r51bV7R+zcMtH4ooQRP+TjSvSIMThqOGcqSQv/uCbRPTN4ZD3H
QWIZr73AldWy/dKdG1s9IGGOs4OXUKXUff3zcU6k4aNoS8BymdComlUP9FvTWYlxowwj
LmskTPGuMcFX0X6zJezjJDEP08yxaaVwbmTUTByTPCARPTEzrcUE5CtBSJyAEbMVo638
4WDTES3PIaEdiJfkBNKzcxedXgqyl89Nv/fzbigqAyOIy8U6BiuyFghaLewk45U7GGjg
LDyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=GHKDYoOVMXecpK9LSE+iNohkCdObnkzqAJ+O5AtWvHk=;
fh=bQYidz2MCLKzmR+GyMq0lZwibYr7OrQDapKG7NmJ+Fc=;
b=rFzXMlVo7BWrW6PWrac/N8qIc8xupHnyae5Wdf1cnDN0aRveQXZVFl2ct3qeMvklzt
liPip24QCrox+QshC9VHqAnL0qlhmwBM2OyooOGoZMPJtTu3nwBQE29/CRBoRGzBM6UT
8z1hsFpnfSOssu+3Sf5eEAALN2iVOC6WKYzHnwqXiEFhjuMCk/cCGSrS89sClPGcIcEx
OzTf+jmng3s0Rpc7jRFMK6AfdXGyNH2usE7i8TwafTXhKU3lvdcMhJThCr+Hicy1kbj9
kgO1BEe34YsIlXZa8YgH0wySBPdRxicwJq1kRxmOcWmbCWXjropIZXjzlGpRn10/Btio
/ZJA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@163.com header.s=s110527 header.b=Y7XpWMSF;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.35 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: from groat.vger.email (groat.vger.email. [23.128.96.35])
by mx.google.com with ESMTPS id
z22-20020a63c056000000b0056da0ae25d1si7698903pgi.831.2023.11.06.06.19.22
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 06 Nov 2023 06:19:22 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35;
Authentication-Results: mx.google.com;
dkim=pass header.i=@163.com header.s=s110527 header.b=Y7XpWMSF;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.35 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by groat.vger.email (Postfix) with ESMTP id 21344805190B;
Mon, 6 Nov 2023 06:19:20 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231593AbjKFOTE (ORCPT <rfc822;jaysivo@gmail.com> + 35 others);
Mon, 6 Nov 2023 09:19:04 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56264 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229705AbjKFOTB (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 6 Nov 2023 09:19:01 -0500
Received: from m12.mail.163.com (m12.mail.163.com [220.181.12.198])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id 88987DF;
Mon, 6 Nov 2023 06:18:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=GHKDY
oOVMXecpK9LSE+iNohkCdObnkzqAJ+O5AtWvHk=; b=Y7XpWMSFxGujh2q/yvDDI
5+YQvSOeWb9zLtnoTrKoG0u4ufiGme5GDs3dWob2lAfuYOT0PbI5s6y4uFtVyXNw
beXDxhuN/hrAogS4bp2VDB/i6+TAdjx7IsA+RA1c84jTF0eYambo7Bc/yZK0qqGs
2jS6Qp97s87fdR547iXQU4=
Received: from leanderwang-LC4.localdomain (unknown [111.206.145.21])
by zwqz-smtp-mta-g5-3 (Coremail) with SMTP id
_____wDXv09k9UhlfEHwCQ--.49806S2;
Mon, 06 Nov 2023 22:17:08 +0800 (CST)
From: Zheng Wang <zyytlz.wz@163.com>
To: aspriel@gmail.com
Cc: franky.lin@broadcom.com, hante.meuleman@broadcom.com,
kvalo@kernel.org, johannes.berg@intel.com, marcan@marcan.st,
linus.walleij@linaro.org, jisoo.jang@yonsei.ac.kr,
linuxlovemin@yonsei.ac.kr, wataru.gohda@cypress.com,
linux-wireless@vger.kernel.org,
brcm80211-dev-list.pdl@broadcom.com, arend.vanspriel@broadcom.com,
SHA-cyfmac-dev-list@infineon.com, linux-kernel@vger.kernel.org,
security@kernel.org, stable@vger.kernel.org,
hackerzheng666@gmail.com, Zheng Wang <zyytlz.wz@163.com>
Subject: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in
brcmf_cfg80211_detach
Date: Mon, 6 Nov 2023 22:17:04 +0800
Message-Id: <20231106141704.866455-1-zyytlz.wz@163.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: _____wDXv09k9UhlfEHwCQ--.49806S2
X-Coremail-Antispam: 1Uf129KBjvJXoW7Zr13tw1fAw4UJw1rZFyxKrg_yoW8ur1kpF
WxWa4qyryUWrW3Kr4F9rnrJFy8ta1DKwnYkr4j93Z3uFn8Wr18JrW8KFya93WDGrs2yay7
Ar4vqrnrGrZ7GFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zR1rWrUUUUU=
X-Originating-IP: [111.206.145.21]
X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/xtbBgwggU1d7gdDP3AAAsW
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]);
Mon, 06 Nov 2023 06:19:20 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1781824605262240257
X-GMAIL-MSGID: 1781824605262240257
|
| Series |
[v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
|
|
Commit Message
Zheng Wang
Nov. 6, 2023, 2:17 p.m. UTC
This is the candidate patch of CVE-2023-47233 :
https://nvd.nist.gov/vuln/detail/CVE-2023-47233
In brcm80211 driver,it starts with the following invoking chain
to start init a timeout worker:
->brcmf_usb_probe
->brcmf_usb_probe_cb
->brcmf_attach
->brcmf_bus_started
->brcmf_cfg80211_attach
->wl_init_priv
->brcmf_init_escan
->INIT_WORK(&cfg->escan_timeout_work,
brcmf_cfg80211_escan_timeout_worker);
If we disconnect the USB by hotplug, it will call
brcmf_usb_disconnect to make cleanup. The invoking chain is :
brcmf_usb_disconnect
->brcmf_usb_disconnect_cb
->brcmf_detach
->brcmf_cfg80211_detach
->kfree(cfg);
While the timeout woker may still be running. This will cause
a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.
Fix it by deleting the timer and canceling the worker in
brcmf_cfg80211_detach.
Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Cc: stable@vger.kernel.org
---
v5:
- replace del_timer_sync with timer_shutdown_sync suggested by
Arend and Takashi
v4:
- rename the subject and add CVE number as Ping-Ke Shih suggested
v3:
- rename the subject as Johannes suggested
v2:
- fix the error of kernel test bot reported
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
1 file changed, 2 insertions(+)
Comments
Zheng Wang <zyytlz.wz@163.com> writes: > This is the candidate patch of CVE-2023-47233 : > https://nvd.nist.gov/vuln/detail/CVE-2023-47233 > > In brcm80211 driver,it starts with the following invoking chain > to start init a timeout worker: > > ->brcmf_usb_probe > ->brcmf_usb_probe_cb > ->brcmf_attach > ->brcmf_bus_started > ->brcmf_cfg80211_attach > ->wl_init_priv > ->brcmf_init_escan > ->INIT_WORK(&cfg->escan_timeout_work, > brcmf_cfg80211_escan_timeout_worker); > > If we disconnect the USB by hotplug, it will call > brcmf_usb_disconnect to make cleanup. The invoking chain is : > > brcmf_usb_disconnect > ->brcmf_usb_disconnect_cb > ->brcmf_detach > ->brcmf_cfg80211_detach > ->kfree(cfg); > > While the timeout woker may still be running. This will cause > a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. > > Fix it by deleting the timer and canceling the worker in > brcmf_cfg80211_detach. > > Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.") > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Cc: stable@vger.kernel.org > --- > v5: > - replace del_timer_sync with timer_shutdown_sync suggested by > Arend and Takashi > v4: > - rename the subject and add CVE number as Ping-Ke Shih suggested > v3: > - rename the subject as Johannes suggested > v2: > - fix the error of kernel test bot reported > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > index 667462369a32..a8723a61c9e4 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > @@ -8431,6 +8431,8 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg) > if (!cfg) > return; > > + timer_shutdown_sync(&cfg->escan_timeout); > + cancel_work_sync(&cfg->escan_timeout_work); > brcmf_pno_detach(cfg); > brcmf_btcoex_detach(cfg); > wiphy_unregister(cfg->wiphy); Has anyone tested this on a real device? As v1 didn't even compile I am very cautious: https://patchwork.kernel.org/project/linux-wireless/patch/20231104054709.716585-1-zyytlz.wz@163.com/
Thanks! I didn't test it for I don't have a device. Very appreciated if anyone could help with that. Kalle Valo <kvalo@kernel.org> 于2023年11月6日周一 22:41写道: > > Zheng Wang <zyytlz.wz@163.com> writes: > > > This is the candidate patch of CVE-2023-47233 : > > https://nvd.nist.gov/vuln/detail/CVE-2023-47233 > > > > In brcm80211 driver,it starts with the following invoking chain > > to start init a timeout worker: > > > > ->brcmf_usb_probe > > ->brcmf_usb_probe_cb > > ->brcmf_attach > > ->brcmf_bus_started > > ->brcmf_cfg80211_attach > > ->wl_init_priv > > ->brcmf_init_escan > > ->INIT_WORK(&cfg->escan_timeout_work, > > brcmf_cfg80211_escan_timeout_worker); > > > > If we disconnect the USB by hotplug, it will call > > brcmf_usb_disconnect to make cleanup. The invoking chain is : > > > > brcmf_usb_disconnect > > ->brcmf_usb_disconnect_cb > > ->brcmf_detach > > ->brcmf_cfg80211_detach > > ->kfree(cfg); > > > > While the timeout woker may still be running. This will cause > > a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. > > > > Fix it by deleting the timer and canceling the worker in > > brcmf_cfg80211_detach. > > > > Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.") > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > > Cc: stable@vger.kernel.org > > --- > > v5: > > - replace del_timer_sync with timer_shutdown_sync suggested by > > Arend and Takashi > > v4: > > - rename the subject and add CVE number as Ping-Ke Shih suggested > > v3: > > - rename the subject as Johannes suggested > > v2: > > - fix the error of kernel test bot reported > > --- > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > > index 667462369a32..a8723a61c9e4 100644 > > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > > @@ -8431,6 +8431,8 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg) > > if (!cfg) > > return; > > > > + timer_shutdown_sync(&cfg->escan_timeout); > > + cancel_work_sync(&cfg->escan_timeout_work); > > brcmf_pno_detach(cfg); > > brcmf_btcoex_detach(cfg); > > wiphy_unregister(cfg->wiphy); > > Has anyone tested this on a real device? As v1 didn't even compile I am > very cautious: > > https://patchwork.kernel.org/project/linux-wireless/patch/20231104054709.716585-1-zyytlz.wz@163.com/ > > -- > https://patchwork.kernel.org/project/linux-wireless/list/ > > https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: > Thanks! I didn't test it for I don't have a device. Very appreciated > if anyone could help with that. I would volunteer, but it made me dig deep and not sure if there is a problem to solve here. brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> brcmf_notify_escan_complete() which does delete the timer. What am I missing here? Regards, Arend > > Kalle Valo <kvalo@kernel.org> 于2023年11月6日周一 22:41写道: >> >> Zheng Wang <zyytlz.wz@163.com> writes: >> >>> This is the candidate patch of CVE-2023-47233 : >>> https://nvd.nist.gov/vuln/detail/CVE-2023-47233 >>> >>> In brcm80211 driver,it starts with the following invoking chain >>> to start init a timeout worker: >>> >>> ->brcmf_usb_probe >>> ->brcmf_usb_probe_cb >>> ->brcmf_attach >>> ->brcmf_bus_started >>> ->brcmf_cfg80211_attach >>> ->wl_init_priv >>> ->brcmf_init_escan >>> ->INIT_WORK(&cfg->escan_timeout_work, >>> brcmf_cfg80211_escan_timeout_worker); >>> >>> If we disconnect the USB by hotplug, it will call >>> brcmf_usb_disconnect to make cleanup. The invoking chain is : >>> >>> brcmf_usb_disconnect >>> ->brcmf_usb_disconnect_cb >>> ->brcmf_detach >>> ->brcmf_cfg80211_detach >>> ->kfree(cfg); >>> >>> While the timeout woker may still be running. This will cause >>> a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. >>> >>> Fix it by deleting the timer and canceling the worker in >>> brcmf_cfg80211_detach. >>> >>> Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.") >>> Signed-off-by: Zheng Wang <zyytlz.wz@163.com> >>> Cc: stable@vger.kernel.org >>> --- >>> v5: >>> - replace del_timer_sync with timer_shutdown_sync suggested by >>> Arend and Takashi >>> v4: >>> - rename the subject and add CVE number as Ping-Ke Shih suggested >>> v3: >>> - rename the subject as Johannes suggested >>> v2: >>> - fix the error of kernel test bot reported >>> --- >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c >>> b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c >>> index 667462369a32..a8723a61c9e4 100644 >>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c >>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c >>> @@ -8431,6 +8431,8 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info >>> *cfg) >>> if (!cfg) >>> return; >>> >>> + timer_shutdown_sync(&cfg->escan_timeout); >>> + cancel_work_sync(&cfg->escan_timeout_work); >>> brcmf_pno_detach(cfg); >>> brcmf_btcoex_detach(cfg); >>> wiphy_unregister(cfg->wiphy); >> >> Has anyone tested this on a real device? As v1 didn't even compile I am >> very cautious: >> >> https://patchwork.kernel.org/project/linux-wireless/patch/20231104054709.716585-1-zyytlz.wz@163.com/ >> >> -- >> https://patchwork.kernel.org/project/linux-wireless/list/ >> >> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Arend Van Spriel <arend.vanspriel@broadcom.com> 于2023年11月6日周一 23:48写道: > > On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: > > > Thanks! I didn't test it for I don't have a device. Very appreciated > > if anyone could help with that. > > I would volunteer, but it made me dig deep and not sure if there is a > problem to solve here. > > brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> > brcmf_notify_escan_complete() which does delete the timer. > > What am I missing here? Thanks four your detailed review. I did see the code and not sure if brcmf_notify_escan_complete would be triggered for sure. So in the first version I want to delete the pending timer ahead of time. As I'm not very familiar with the logic here. I'm still not sure if we should delete the timer_shutdown_sync. Looking forward to your reply :) ```cpp if (cfg->int_escan_map || cfg->scan_request) { escan->escan_state = WL_ESCAN_STATE_IDLE; brcmf_notify_escan_complete(cfg, escan->ifp, true, true); } ``` Best regards, Zheng > > Regards, > Arend > > > > > Kalle Valo <kvalo@kernel.org> 于2023年11月6日周一 22:41写道: > >> > >> Zheng Wang <zyytlz.wz@163.com> writes: > >> > >>> This is the candidate patch of CVE-2023-47233 : > >>> https://nvd.nist.gov/vuln/detail/CVE-2023-47233 > >>> > >>> In brcm80211 driver,it starts with the following invoking chain > >>> to start init a timeout worker: > >>> > >>> ->brcmf_usb_probe > >>> ->brcmf_usb_probe_cb > >>> ->brcmf_attach > >>> ->brcmf_bus_started > >>> ->brcmf_cfg80211_attach > >>> ->wl_init_priv > >>> ->brcmf_init_escan > >>> ->INIT_WORK(&cfg->escan_timeout_work, > >>> brcmf_cfg80211_escan_timeout_worker); > >>> > >>> If we disconnect the USB by hotplug, it will call > >>> brcmf_usb_disconnect to make cleanup. The invoking chain is : > >>> > >>> brcmf_usb_disconnect > >>> ->brcmf_usb_disconnect_cb > >>> ->brcmf_detach > >>> ->brcmf_cfg80211_detach > >>> ->kfree(cfg); > >>> > >>> While the timeout woker may still be running. This will cause > >>> a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. > >>> > >>> Fix it by deleting the timer and canceling the worker in > >>> brcmf_cfg80211_detach. > >>> > >>> Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.") > >>> Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > >>> Cc: stable@vger.kernel.org > >>> --- > >>> v5: > >>> - replace del_timer_sync with timer_shutdown_sync suggested by > >>> Arend and Takashi > >>> v4: > >>> - rename the subject and add CVE number as Ping-Ke Shih suggested > >>> v3: > >>> - rename the subject as Johannes suggested > >>> v2: > >>> - fix the error of kernel test bot reported > >>> --- > >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++ > >>> 1 file changed, 2 insertions(+) > >>> > >>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > >>> b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > >>> index 667462369a32..a8723a61c9e4 100644 > >>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > >>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > >>> @@ -8431,6 +8431,8 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info > >>> *cfg) > >>> if (!cfg) > >>> return; > >>> > >>> + timer_shutdown_sync(&cfg->escan_timeout); > >>> + cancel_work_sync(&cfg->escan_timeout_work); > >>> brcmf_pno_detach(cfg); > >>> brcmf_btcoex_detach(cfg); > >>> wiphy_unregister(cfg->wiphy); > >> > >> Has anyone tested this on a real device? As v1 didn't even compile I am > >> very cautious: > >> > >> https://patchwork.kernel.org/project/linux-wireless/patch/20231104054709.716585-1-zyytlz.wz@163.com/ > >> > >> -- > >> https://patchwork.kernel.org/project/linux-wireless/list/ > >> > >> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches > > >
On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@gmail.com> wrote: > Arend Van Spriel <arend.vanspriel@broadcom.com> 于2023年11月6日周一 23:48写道: >> >> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: >> >>> Thanks! I didn't test it for I don't have a device. Very appreciated >>> if anyone could help with that. >> >> I would volunteer, but it made me dig deep and not sure if there is a >> problem to solve here. >> >> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> >> brcmf_notify_escan_complete() which does delete the timer. >> >> What am I missing here? > > Thanks four your detailed review. I did see the code and not sure if > brcmf_notify_escan_complete > would be triggered for sure. So in the first version I want to delete > the pending timer ahead of time. Why requesting a CVE when you are not sure? Seems a bit hasty to put it mildly. > As I'm not very familiar with the logic here. I'm still not sure if we > should delete the timer_shutdown_sync. > Looking forward to your reply :) Reading the kerneldoc of timer_shutdown_sync() has the advantage that the timer can not be rearmed by another thread. However, that will only happen when a new scan is initiated in firmware, but the bus is already down so that can not happen. The only improvement (no bug fix!) I see here is to replace timer handling code in brcmf_notify_escan_complete(): - if (timer_pending(&cfg->escan_timeout)) - del_timer_sync(&cfg->escan_timeout); + timer_delete_sync(&cfg->escan_timeout); Regards, Arend
Arend van Spriel <arend.vanspriel@broadcom.com> writes: > On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@gmail.com> > wrote: > >> Arend Van Spriel <arend.vanspriel@broadcom.com> 于2023年11月6日周一 23:48写道: >>> >>> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: >>> >>>> Thanks! I didn't test it for I don't have a device. Very appreciated >>>> if anyone could help with that. >>> >>> I would volunteer, but it made me dig deep and not sure if there is a >>> problem to solve here. >>> >>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> >>> brcmf_notify_escan_complete() which does delete the timer. >>> >>> What am I missing here? >> >> Thanks four your detailed review. I did see the code and not sure if >> brcmf_notify_escan_complete >> would be triggered for sure. So in the first version I want to delete >> the pending timer ahead of time. > > Why requesting a CVE when you are not sure? Seems a bit hasty to put > it mildly. TBH I don't take CVE entries seriously anymore. I don't know what has happened there.
Arend van Spriel <arend.vanspriel@broadcom.com> 于2023年11月13日周一 17:18写道: > > On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@gmail.com> > wrote: > > > Arend Van Spriel <arend.vanspriel@broadcom.com> 于2023年11月6日周一 23:48写道: > >> > >> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: > >> > >>> Thanks! I didn't test it for I don't have a device. Very appreciated > >>> if anyone could help with that. > >> > >> I would volunteer, but it made me dig deep and not sure if there is a > >> problem to solve here. > >> > >> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> > >> brcmf_notify_escan_complete() which does delete the timer. > >> > >> What am I missing here? > > > > Thanks four your detailed review. I did see the code and not sure if > > brcmf_notify_escan_complete > > would be triggered for sure. So in the first version I want to delete > > the pending timer ahead of time. > > Why requesting a CVE when you are not sure? Seems a bit hasty to put it > mildly. I'm sure the issue exists because there's only cancler of timer but not woker. As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218, I submit it as soon as I found it. > > > As I'm not very familiar with the logic here. I'm still not sure if we > > should delete the timer_shutdown_sync. > > Looking forward to your reply :) > > Reading the kerneldoc of timer_shutdown_sync() has the advantage that > the timer can not be rearmed by another thread. However, that will only > happen when a new scan is initiated in firmware, but the bus is already > down so that can not happen. The only improvement (no bug fix!) I see > here is to replace timer handling code in brcmf_notify_escan_complete(): > > - if (timer_pending(&cfg->escan_timeout)) > - del_timer_sync(&cfg->escan_timeout); > + timer_delete_sync(&cfg->escan_timeout); > Very thanks for your reviews and suggestions! I thinks it's a good idea. I'll make another patch sooner or later. Best regards, Zheng > Regards, > Arend
On November 15, 2023 4:00:46 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: > Arend van Spriel <arend.vanspriel@broadcom.com> 于2023年11月13日周一 17:18写道: >> >> On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@gmail.com> >> wrote: >> >>> Arend Van Spriel <arend.vanspriel@broadcom.com> 于2023年11月6日周一 23:48写道: >>>> >>>> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: >>>> >>>>> Thanks! I didn't test it for I don't have a device. Very appreciated >>>>> if anyone could help with that. >>>> >>>> I would volunteer, but it made me dig deep and not sure if there is a >>>> problem to solve here. >>>> >>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> >>>> brcmf_notify_escan_complete() which does delete the timer. >>>> >>>> What am I missing here? >>> >>> Thanks four your detailed review. I did see the code and not sure if >>> brcmf_notify_escan_complete >>> would be triggered for sure. So in the first version I want to delete >>> the pending timer ahead of time. >> >> Why requesting a CVE when you are not sure? Seems a bit hasty to put it >> mildly. > > I'm sure the issue exists because there's only cancler of timer but not woker. > As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218, > I submit it as soon as I found it. Ah, yes. The cancel_work_sync() can also be done in brcmf_notify_escan_complete(). Regards, Arend
On Thu, 16 Nov 2023 19:20:06 +0100, Arend Van Spriel wrote: > > On November 15, 2023 4:00:46 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: > > > Arend van Spriel <arend.vanspriel@broadcom.com> 于2023年11月13日周一 17:18写道: > >> > >> On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@gmail.com> > >> wrote: > >> > >>> Arend Van Spriel <arend.vanspriel@broadcom.com> 于2023年11月6日周一 23:48写道: > >>>> > >>>> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: > >>>> > >>>>> Thanks! I didn't test it for I don't have a device. Very appreciated > >>>>> if anyone could help with that. > >>>> > >>>> I would volunteer, but it made me dig deep and not sure if there is a > >>>> problem to solve here. > >>>> > >>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> > >>>> brcmf_notify_escan_complete() which does delete the timer. > >>>> > >>>> What am I missing here? > >>> > >>> Thanks four your detailed review. I did see the code and not sure if > >>> brcmf_notify_escan_complete > >>> would be triggered for sure. So in the first version I want to delete > >>> the pending timer ahead of time. > >> > >> Why requesting a CVE when you are not sure? Seems a bit hasty to put it > >> mildly. > > > > I'm sure the issue exists because there's only cancler of timer but not woker. > > As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218, > > I submit it as soon as I found it. > > Ah, yes. The cancel_work_sync() can also be done in > brcmf_notify_escan_complete(). AFAIUC, brcmf_notify_scan_complete() is called from the work itself, too, hence you can't issue cancel_work_sync() there (unless you make it conditional). Takashi
On November 16, 2023 7:25:16 PM Takashi Iwai <tiwai@suse.de> wrote: > On Thu, 16 Nov 2023 19:20:06 +0100, > Arend Van Spriel wrote: >> >> On November 15, 2023 4:00:46 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: >> >>> Arend van Spriel <arend.vanspriel@broadcom.com> 于2023年11月13日周一 17:18写道: >>>> >>>> On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@gmail.com> >>>> wrote: >>>> >>>>> Arend Van Spriel <arend.vanspriel@broadcom.com> 于2023年11月6日周一 23:48写道: >>>>>> >>>>>> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: >>>>>> >>>>>>> Thanks! I didn't test it for I don't have a device. Very appreciated >>>>>>> if anyone could help with that. >>>>>> >>>>>> I would volunteer, but it made me dig deep and not sure if there is a >>>>>> problem to solve here. >>>>>> >>>>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> >>>>>> brcmf_notify_escan_complete() which does delete the timer. >>>>>> >>>>>> What am I missing here? >>>>> >>>>> Thanks four your detailed review. I did see the code and not sure if >>>>> brcmf_notify_escan_complete >>>>> would be triggered for sure. So in the first version I want to delete >>>>> the pending timer ahead of time. >>>> >>>> Why requesting a CVE when you are not sure? Seems a bit hasty to put it >>>> mildly. >>> >>> I'm sure the issue exists because there's only cancler of timer but not woker. >>> As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218, >>> I submit it as soon as I found it. >> >> Ah, yes. The cancel_work_sync() can also be done in >> brcmf_notify_escan_complete(). > > AFAIUC, brcmf_notify_scan_complete() is called from the work itself, > too, hence you can't issue cancel_work_sync() there (unless you make > it conditional). Hi Takashi, You are obviously right. Let's wait and see what v6 will look like ;-) Regards, Arend
Yes, that makes this issue hard to fix. I was wondering why it binds the worker with the timer rather than using just one of them. Takashi Iwai <tiwai@suse.de> 于2023年11月17日周五 02:25写道: > > On Thu, 16 Nov 2023 19:20:06 +0100, > Arend Van Spriel wrote: > > > > On November 15, 2023 4:00:46 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: > > > > > Arend van Spriel <arend.vanspriel@broadcom.com> 于2023年11月13日周一 17:18写道: > > >> > > >> On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@gmail.com> > > >> wrote: > > >> > > >>> Arend Van Spriel <arend.vanspriel@broadcom.com> 于2023年11月6日周一 23:48写道: > > >>>> > > >>>> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: > > >>>> > > >>>>> Thanks! I didn't test it for I don't have a device. Very appreciated > > >>>>> if anyone could help with that. > > >>>> > > >>>> I would volunteer, but it made me dig deep and not sure if there is a > > >>>> problem to solve here. > > >>>> > > >>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> > > >>>> brcmf_notify_escan_complete() which does delete the timer. > > >>>> > > >>>> What am I missing here? > > >>> > > >>> Thanks four your detailed review. I did see the code and not sure if > > >>> brcmf_notify_escan_complete > > >>> would be triggered for sure. So in the first version I want to delete > > >>> the pending timer ahead of time. > > >> > > >> Why requesting a CVE when you are not sure? Seems a bit hasty to put it > > >> mildly. > > > > > > I'm sure the issue exists because there's only cancler of timer but not woker. > > > As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218, > > > I submit it as soon as I found it. > > > > Ah, yes. The cancel_work_sync() can also be done in > > brcmf_notify_escan_complete(). > > AFAIUC, brcmf_notify_scan_complete() is called from the work itself, > too, hence you can't issue cancel_work_sync() there (unless you make > it conditional). > > > Takashi
On November 17, 2023 3:31:40 AM Zheng Hacker <hackerzheng666@gmail.com> wrote: > Yes, that makes this issue hard to fix. I was wondering why it binds the > worker with the timer rather than using just one of them. No top posting please! The timer context is softirq and worker is thread context. The ability to sleep is the big difference between the two or at least the reason for using them here. Regards, Arend > > Takashi Iwai <tiwai@suse.de> 于2023年11月17日周五 02:25写道: >> >> On Thu, 16 Nov 2023 19:20:06 +0100, >> Arend Van Spriel wrote: >>> >>> On November 15, 2023 4:00:46 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: >>> >>>> Arend van Spriel <arend.vanspriel@broadcom.com> 于2023年11月13日周一 17:18写道: >>>>> >>>>> On November 8, 2023 4:03:26 AM Zheng Hacker <hackerzheng666@gmail.com> >>>>> wrote: >>>>> >>>>>> Arend Van Spriel <arend.vanspriel@broadcom.com> 于2023年11月6日周一 23:48写道: >>>>>>> >>>>>>> On November 6, 2023 3:44:53 PM Zheng Hacker <hackerzheng666@gmail.com> wrote: >>>>>>> >>>>>>>> Thanks! I didn't test it for I don't have a device. Very appreciated >>>>>>>> if anyone could help with that. >>>>>>> >>>>>>> I would volunteer, but it made me dig deep and not sure if there is a >>>>>>> problem to solve here. >>>>>>> >>>>>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> >>>>>>> brcmf_notify_escan_complete() which does delete the timer. >>>>>>> >>>>>>> What am I missing here? >>>>>> >>>>>> Thanks four your detailed review. I did see the code and not sure if >>>>>> brcmf_notify_escan_complete >>>>>> would be triggered for sure. So in the first version I want to delete >>>>>> the pending timer ahead of time. >>>>> >>>>> Why requesting a CVE when you are not sure? Seems a bit hasty to put it >>>>> mildly. >>>> >>>> I'm sure the issue exists because there's only cancler of timer but not woker. >>>> As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218, >>>> I submit it as soon as I found it. >>> >>> Ah, yes. The cancel_work_sync() can also be done in >>> brcmf_notify_escan_complete(). >> >> AFAIUC, brcmf_notify_scan_complete() is called from the work itself, >> too, hence you can't issue cancel_work_sync() there (unless you make >> it conditional). >> >> >> Takashi
On Mon, 06 Nov 2023, Zheng Wang wrote: > This is the candidate patch of CVE-2023-47233 : > https://nvd.nist.gov/vuln/detail/CVE-2023-47233 > > In brcm80211 driver,it starts with the following invoking chain > to start init a timeout worker: > > ->brcmf_usb_probe > ->brcmf_usb_probe_cb > ->brcmf_attach > ->brcmf_bus_started > ->brcmf_cfg80211_attach > ->wl_init_priv > ->brcmf_init_escan > ->INIT_WORK(&cfg->escan_timeout_work, > brcmf_cfg80211_escan_timeout_worker); > > If we disconnect the USB by hotplug, it will call > brcmf_usb_disconnect to make cleanup. The invoking chain is : > > brcmf_usb_disconnect > ->brcmf_usb_disconnect_cb > ->brcmf_detach > ->brcmf_cfg80211_detach > ->kfree(cfg); > > While the timeout woker may still be running. This will cause > a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. > > Fix it by deleting the timer and canceling the worker in > brcmf_cfg80211_detach. > > Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.") > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Cc: stable@vger.kernel.org > --- > v5: > - replace del_timer_sync with timer_shutdown_sync suggested by > Arend and Takashi > v4: > - rename the subject and add CVE number as Ping-Ke Shih suggested > v3: > - rename the subject as Johannes suggested > v2: > - fix the error of kernel test bot reported > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > index 667462369a32..a8723a61c9e4 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > @@ -8431,6 +8431,8 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg) > if (!cfg) > return; > > + timer_shutdown_sync(&cfg->escan_timeout); > + cancel_work_sync(&cfg->escan_timeout_work); > brcmf_pno_detach(cfg); > brcmf_btcoex_detach(cfg); > wiphy_unregister(cfg->wiphy); Has there been any progress on this please? Are we expecting a v6 to this?
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c index 667462369a32..a8723a61c9e4 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -8431,6 +8431,8 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg) if (!cfg) return; + timer_shutdown_sync(&cfg->escan_timeout); + cancel_work_sync(&cfg->escan_timeout_work); brcmf_pno_detach(cfg); brcmf_btcoex_detach(cfg); wiphy_unregister(cfg->wiphy);