On Sat, 21 May 2022 23:28:01 +0200, Pavel Skripkin wrote: > > Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The > problem was in incorrect htc_handle->drv_priv initialization. > > Probable call trace which can trigger use-after-free: > > ath9k_htc_probe_device() > /* htc_handle->drv_priv = priv; */ > ath9k_htc_wait_for_target() <--- Failed > ieee80211_free_hw() <--- priv pointer is freed > > <IRQ> > ... > ath9k_hif_usb_rx_cb() > ath9k_hif_usb_rx_stream() > RX_STAT_INC() <--- htc_handle->drv_priv access > > In order to not add fancy protection for drv_priv we can move > htc_handle->drv_priv initialization at the end of the > ath9k_htc_probe_device() and add helper macro to make > all *_STAT_* macros NULL safe, since syzbot has reported related NULL > deref in that macros [1] > > Link: https://syzkaller.appspot.com/bug?id=6ead44e37afb6866ac0c7dd121b4ce07cb665f60 [0] > Link: https://syzkaller.appspot.com/bug?id=b8101ffcec107c0567a0cd8acbbacec91e9ee8de [1] > Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") > Reported-and-tested-by: syzbot+03110230a11411024147@xxxxxxxxxxxxxxxxxxxxxxxxx > Reported-and-tested-by: syzbot+c6dde1f690b60e0b9fbe@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx> Hi Toke, any update on this? I'm asking it because this is a fix for a security issue (CVE-2022-1679 [*]), and distros have been waiting for the fix getting merged to the upstream for weeks. [*] https://nvd.nist.gov/vuln/detail/CVE-2022-1679 thanks, Takashi
