In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix use-after-free bug in brcmfnetdevstart_xmit()
ret = brcmfprototxqueuedata(drvr, ifp->ifidx, skb);
may be schedule, and then complete before the line
ndev->stats.tx_bytes += skb->len;
[ 46.912801] ================================================================== [ 46.920552] BUG: KASAN: use-after-free in brcmfnetdevstartxmit+0x718/0x8c8 [brcmfmac] [ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 [ 46.935991] [ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 [ 46.947255] Hardware name: [REDACTED] [ 46.954568] Call trace: [ 46.957037] dumpbacktrace+0x0/0x2b8 [ 46.960719] showstack+0x24/0x30 [ 46.964052] dumpstack+0x128/0x194 [ 46.967557] printaddressdescription.isra.0+0x64/0x380 [ 46.972877] _kasanreport+0x1d4/0x240 [ 46.976723] kasanreport+0xc/0x18 [ 46.980138] _asanreportload4noabort+0x18/0x20 [ 46.985027] brcmfnetdevstartxmit+0x718/0x8c8 [brcmfmac] [ 46.990613] devhardstartxmit+0x1bc/0xda0 [ 46.994894] schdirectxmit+0x198/0xd08 [ 46.998827] _qdiscrun+0x37c/0x1dc0 [ 47.002500] _devqueuexmit+0x1528/0x21f8 [ 47.006692] devqueuexmit+0x24/0x30 [ 47.010366] neighresolveoutput+0x37c/0x678 [ 47.014734] ipfinishoutput2+0x598/0x2458 [ 47.018927] _ipfinishoutput+0x300/0x730 [ 47.023118] ipoutput+0x2e0/0x430 [ 47.026530] iplocalout+0x90/0x140 [ 47.030117] igmpv3sendpack+0x14c/0x228 [ 47.034049] igmpv3sendcr+0x384/0x6b8 [ 47.037895] igmpifctimerexpire+0x4c/0x118 [ 47.042262] calltimerfn+0x1cc/0xbe8 [ 47.046021] _runtimers+0x4d8/0xb28 [ 47.049693] runtimersoftirq+0x24/0x40 [ 47.053626] _dosoftirq+0x2c0/0x117c [ 47.057387] irqexit+0x2dc/0x388 [ 47.060715] _handledomainirq+0xb4/0x158 [ 47.064908] gichandleirq+0x58/0xb0 [ 47.068581] el0irqnaked+0x50/0x5c [ 47.072162] [ 47.073665] Allocated by task 328: [ 47.077083] savestack+0x24/0xb0 [ 47.080410] _kasankmalloc.isra.0+0xc0/0xe0 [ 47.084776] kasanslaballoc+0x14/0x20 [ 47.088622] kmemcachealloc+0x15c/0x468 [ 47.092643] _allocskb+0xa4/0x498 [ 47.096142] igmpv3newpack+0x158/0xd78 [ 47.099987] addgrhead+0x210/0x288 [ 47.103485] addgrec+0x6b0/0xb70 [ 47.106811] igmpv3sendcr+0x2e0/0x6b8 [ 47.110657] igmpifctimerexpire+0x4c/0x118 [ 47.115027] calltimerfn+0x1cc/0xbe8 [ 47.118785] _runtimers+0x4d8/0xb28 [ 47.122457] runtimersoftirq+0x24/0x40 [ 47.126389] _dosoftirq+0x2c0/0x117c [ 47.130142] [ 47.131643] Freed by task 180: [ 47.134712] savestack+0x24/0xb0 [ 47.138041] _kasanslabfree+0x108/0x180 [ 47.142146] kasanslabfree+0x10/0x18 [ 47.145904] slabfreefreelisthook+0xa4/0x1b0 [ 47.150444] kmemcachefree+0x8c/0x528 [ 47.154292] kfreeskbmem+0x94/0x108 [ 47.157880] consumeskb+0x10c/0x5a8 [ 47.161466] _devkfreeskbany+0x88/0xa0 [ 47.165598] brcmupktbuffreeskb+0x44/0x68 [brcmutil] [ 47.171023] brcmftxfinalize+0xec/0x190 [brcmfmac] [ 47.176016] brcmfprotobcdctxcomplete+0x1c0/0x210 [brcmfmac] [ 47.182056] brcmfsdiosendfromq+0x8dc/0x1e80 [brcmfmac] [ 47.187568] brcmfsdiodpc+0xb48/0x2108 [brcmfmac] [ 47.192529] brcmfsdiodataworker+0xc8/0x238 [brcmfmac] [ 47.197859] processonework+0x7fc/0x1a80 [ 47.201965] workerthread+0x31c/0xc40 [ 47.205726] kthread+0x2d8/0x370 [ 47.208967] retfromfork+0x10/0x18 [ 47.212546] [ 47.214051] The buggy address belongs to the object at ffffff803f588280 [ 47.214051] which belongs to the cache skbuffhead_cache of size 208 [ 47.227086] The buggy address is located 104 bytes inside of [ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) [ 47.238814] The buggy address belongs to the page: [ 47.243618] page:ffffffff00dd6200 refcount:1 mapcou ---truncated---
[
{
"id": "CVE-2022-50408-107bb7a7",
"deprecated": false,
"digest": {
"length": 1655.0,
"function_hash": "250908898070852269004985312741897878380"
},
"signature_version": "v1",
"target": {
"function": "brcmf_netdev_start_xmit",
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@232d59eca07f6ea27307022a33d226aff373bd02",
"signature_type": "Function"
},
{
"id": "CVE-2022-50408-18652a2c",
"deprecated": false,
"digest": {
"length": 1655.0,
"function_hash": "250908898070852269004985312741897878380"
},
"signature_version": "v1",
"target": {
"function": "brcmf_netdev_start_xmit",
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e01d96494a9de0f48b1167f0494f6d929fa773ed",
"signature_type": "Function"
},
{
"id": "CVE-2022-50408-21ddeced",
"deprecated": false,
"digest": {
"length": 1612.0,
"function_hash": "123265661718108147443610033952487163575"
},
"signature_version": "v1",
"target": {
"function": "brcmf_netdev_start_xmit",
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d79f4d903e14dde822c60b5fd3bedc5a289d25df",
"signature_type": "Function"
},
{
"id": "CVE-2022-50408-2345a755",
"deprecated": false,
"digest": {
"line_hashes": [
"255241027598683760872009720521585608563",
"74501335031921271241638788238644213168",
"52953226746936449755770001929876276277",
"17783314768674658215289792551076439815",
"207004969035754612364721834430648575572",
"173646633727828667146844273941859573089",
"105577685351947790429750311752548858214",
"149729578301940494905750692001806924278"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c369836cff98d3877f98c98e15c0151462812d96",
"signature_type": "Line"
},
{
"id": "CVE-2022-50408-3a148cf5",
"deprecated": false,
"digest": {
"line_hashes": [
"255241027598683760872009720521585608563",
"74501335031921271241638788238644213168",
"52953226746936449755770001929876276277",
"17783314768674658215289792551076439815",
"207004969035754612364721834430648575572",
"173646633727828667146844273941859573089",
"105577685351947790429750311752548858214",
"149729578301940494905750692001806924278"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3f42faf6db431e04bf942d2ebe3ae88975723478",
"signature_type": "Line"
},
{
"id": "CVE-2022-50408-3b448e20",
"deprecated": false,
"digest": {
"length": 1655.0,
"function_hash": "250908898070852269004985312741897878380"
},
"signature_version": "v1",
"target": {
"function": "brcmf_netdev_start_xmit",
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@27574a3f421c3a1694d0207f37c6bbf23d66978e",
"signature_type": "Function"
},
{
"id": "CVE-2022-50408-59aea892",
"deprecated": false,
"digest": {
"length": 1655.0,
"function_hash": "250908898070852269004985312741897878380"
},
"signature_version": "v1",
"target": {
"function": "brcmf_netdev_start_xmit",
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c369836cff98d3877f98c98e15c0151462812d96",
"signature_type": "Function"
},
{
"id": "CVE-2022-50408-5b5ed704",
"deprecated": false,
"digest": {
"line_hashes": [
"255241027598683760872009720521585608563",
"74501335031921271241638788238644213168",
"52953226746936449755770001929876276277",
"295917495970021866261236061326612193970",
"207004969035754612364721834430648575572",
"173646633727828667146844273941859573089",
"105577685351947790429750311752548858214",
"149729578301940494905750692001806924278"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d79f4d903e14dde822c60b5fd3bedc5a289d25df",
"signature_type": "Line"
},
{
"id": "CVE-2022-50408-5e1e6809",
"deprecated": false,
"digest": {
"length": 1503.0,
"function_hash": "240283295662006136744069151625289667779"
},
"signature_version": "v1",
"target": {
"function": "brcmf_netdev_start_xmit",
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1613a7b24f1a7467cb727ba3ec77c9a808383560",
"signature_type": "Function"
},
{
"id": "CVE-2022-50408-7274c92f",
"deprecated": false,
"digest": {
"line_hashes": [
"255241027598683760872009720521585608563",
"74501335031921271241638788238644213168",
"52953226746936449755770001929876276277",
"17783314768674658215289792551076439815",
"207004969035754612364721834430648575572",
"173646633727828667146844273941859573089",
"105577685351947790429750311752548858214",
"149729578301940494905750692001806924278"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@232d59eca07f6ea27307022a33d226aff373bd02",
"signature_type": "Line"
},
{
"id": "CVE-2022-50408-7d058ad6",
"deprecated": false,
"digest": {
"length": 1624.0,
"function_hash": "231896974021855069367648266597573376216"
},
"signature_version": "v1",
"target": {
"function": "brcmf_netdev_start_xmit",
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49c742afd60f552fce7799287080db02bffe1db2",
"signature_type": "Function"
},
{
"id": "CVE-2022-50408-b1f52087",
"deprecated": false,
"digest": {
"line_hashes": [
"255241027598683760872009720521585608563",
"74501335031921271241638788238644213168",
"52953226746936449755770001929876276277",
"295917495970021866261236061326612193970",
"207004969035754612364721834430648575572",
"173646633727828667146844273941859573089",
"105577685351947790429750311752548858214",
"149729578301940494905750692001806924278"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1613a7b24f1a7467cb727ba3ec77c9a808383560",
"signature_type": "Line"
},
{
"id": "CVE-2022-50408-b8c7f9db",
"deprecated": false,
"digest": {
"length": 1655.0,
"function_hash": "250908898070852269004985312741897878380"
},
"signature_version": "v1",
"target": {
"function": "brcmf_netdev_start_xmit",
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3f42faf6db431e04bf942d2ebe3ae88975723478",
"signature_type": "Function"
},
{
"id": "CVE-2022-50408-db6f3591",
"deprecated": false,
"digest": {
"line_hashes": [
"255241027598683760872009720521585608563",
"74501335031921271241638788238644213168",
"52953226746936449755770001929876276277",
"17783314768674658215289792551076439815",
"207004969035754612364721834430648575572",
"173646633727828667146844273941859573089",
"105577685351947790429750311752548858214",
"149729578301940494905750692001806924278"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@27574a3f421c3a1694d0207f37c6bbf23d66978e",
"signature_type": "Line"
},
{
"id": "CVE-2022-50408-ed156d0f",
"deprecated": false,
"digest": {
"line_hashes": [
"255241027598683760872009720521585608563",
"74501335031921271241638788238644213168",
"52953226746936449755770001929876276277",
"17783314768674658215289792551076439815",
"207004969035754612364721834430648575572",
"173646633727828667146844273941859573089",
"105577685351947790429750311752548858214",
"149729578301940494905750692001806924278"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49c742afd60f552fce7799287080db02bffe1db2",
"signature_type": "Line"
},
{
"id": "CVE-2022-50408-f5075797",
"deprecated": false,
"digest": {
"line_hashes": [
"255241027598683760872009720521585608563",
"74501335031921271241638788238644213168",
"52953226746936449755770001929876276277",
"17783314768674658215289792551076439815",
"207004969035754612364721834430648575572",
"173646633727828667146844273941859573089",
"105577685351947790429750311752548858214",
"149729578301940494905750692001806924278"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e01d96494a9de0f48b1167f0494f6d929fa773ed",
"signature_type": "Line"
}
]