Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote: > From: Zheng Wang <zyytlz.wz@xxxxxxx> > > This is the candidate patch of CVE-2023-47233 : > https://nvd.nist.gov/vuln/detail/CVE-2023-47233 > > In brcm80211 driver,it starts with the following invoking chain > to start init a timeout worker: > > ->brcmf_usb_probe > ->brcmf_usb_probe_cb > ->brcmf_attach > ->brcmf_bus_started > ->brcmf_cfg80211_attach > ->wl_init_priv > ->brcmf_init_escan > ->INIT_WORK(&cfg->escan_timeout_work, > brcmf_cfg80211_escan_timeout_worker); > > If we disconnect the USB by hotplug, it will call > brcmf_usb_disconnect to make cleanup. The invoking chain is : > > brcmf_usb_disconnect > ->brcmf_usb_disconnect_cb > ->brcmf_detach > ->brcmf_cfg80211_detach > ->kfree(cfg); > > While the timeout woker may still be running. This will cause > a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. > > Fix it by deleting the timer and canceling the worker in > brcmf_cfg80211_detach. > > Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.") > Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > [arend.vanspriel@xxxxxxxxxxxx: keep timer delete as is and cancel work just before free] > Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> Patch applied to wireless-next.git, thanks. 0f7352557a35 wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach -- https://patchwork.kernel.org/project/linux-wireless/patch/20240107072504.392713-1-arend.vanspriel@xxxxxxxxxxxx/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
