Message ID | 20240403152631.10248-1-bethany.jamison@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-47233 | expand |
On 4/3/24 9:26 AM, Bethany Jamison wrote: > [Impact] > > The brcm80211 component in the Linux kernel through 6.5.10 has a > brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect > the USB by hotplug) code. For physically proximate attackers with local > access, this "could be exploited in a real world scenario." This is related > to brcmf_cfg80211_escan_timeout_worker in > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. > > [Fix] > > Mantic: Clean cherry-pick. > Jammy: Mantic patch applied cleanly. > Focal: Backport - used del_timer_sync in place of timer_delete_sync. > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use the brcm80211 driver who then disconnect > the USB via hotplug, issues with this fix would be visable via some > undefined behavior from the system. This fix has a fairly low risk of > regression though the risk is slightly increased in Focal because I had > to swap the timer deletion sync functions. > > Zheng Wang (1): > wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 03/04/2024 17:26, Bethany Jamison wrote: > [Impact] > > The brcm80211 component in the Linux kernel through 6.5.10 has a > brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect > the USB by hotplug) code. For physically proximate attackers with local > access, this "could be exploited in a real world scenario." This is related > to brcmf_cfg80211_escan_timeout_worker in > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. > > [Fix] > > Mantic: Clean cherry-pick. > Jammy: Mantic patch applied cleanly. > Focal: Backport - used del_timer_sync in place of timer_delete_sync. > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use the brcm80211 driver who then disconnect > the USB via hotplug, issues with this fix would be visable via some > undefined behavior from the system. This fix has a fairly low risk of > regression though the risk is slightly increased in Focal because I had > to swap the timer deletion sync functions. > > Zheng Wang (1): > wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 03/04/2024 17:26, Bethany Jamison wrote: > [Impact] > > The brcm80211 component in the Linux kernel through 6.5.10 has a > brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect > the USB by hotplug) code. For physically proximate attackers with local > access, this "could be exploited in a real world scenario." This is related > to brcmf_cfg80211_escan_timeout_worker in > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. > > [Fix] > > Mantic: Clean cherry-pick. > Jammy: Mantic patch applied cleanly. > Focal: Backport - used del_timer_sync in place of timer_delete_sync. > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use the brcm80211 driver who then disconnect > the USB via hotplug, issues with this fix would be visable via some > undefined behavior from the system. This fix has a fairly low risk of > regression though the risk is slightly increased in Focal because I had > to swap the timer deletion sync functions. > > Zheng Wang (1): > wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > Applied to mantic, jammy, focal master-next branches. Thanks!