In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Fix use-after-free bug in brcmfcfg80211detach
This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233
In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker:
->brcmfusbprobe ->brcmfusbprobecb ->brcmfattach ->brcmfbusstarted ->brcmfcfg80211attach ->wlinitpriv ->brcmfinitescan ->INITWORK(&cfg->escantimeoutwork, brcmfcfg80211escantimeout_worker);
If we disconnect the USB by hotplug, it will call brcmfusbdisconnect to make cleanup. The invoking chain is :
brcmfusbdisconnect ->brcmfusbdisconnectcb ->brcmfdetach ->brcmfcfg80211detach ->kfree(cfg);
While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmfcfg80211escantimeoutworker.
Fix it by deleting the timer and canceling the worker in brcmfcfg80211detach.
[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]
{ "vanir_signatures": [ { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8c36205123dc57349b59b4f1a2301eb278cbc731", "signature_type": "Function", "target": { "function": "brcmf_notify_escan_complete", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 1611.0, "function_hash": "202744169388390520869521841795547129579" }, "id": "CVE-2024-35811-13e5b4f5" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0a7591e14a8da794d0b93b5d1c6254ccb23adacb", "signature_type": "Line", "target": { "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "line_hashes": [ "230072663310084089175982513313504748088", "6259933212960945363759512439742590211", "244027480212787933938087095833235155179", "186935689991447824842317656401726188282", "294411093551994592905846005751366575199", "14037304564656292801416866304333892763", "261938924265894917252525628797684902952", "90882651980427162856622663185591640338", "282610022381279507551684280526496726304" ], "threshold": 0.9 }, "id": "CVE-2024-35811-2d5a6b10" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@202c503935042272e2f9e1bb549d5f69a8681169", "signature_type": "Function", "target": { "function": "brcmf_notify_escan_complete", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 1576.0, "function_hash": "304615750505555539845897819099427978876" }, "id": "CVE-2024-35811-3218ff1e" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0b812f706fd7090be74812101114a0e165b36744", "signature_type": "Function", "target": { "function": "brcmf_notify_escan_complete", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 1611.0, "function_hash": "202744169388390520869521841795547129579" }, "id": "CVE-2024-35811-3544825d" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0b812f706fd7090be74812101114a0e165b36744", "signature_type": "Line", "target": { "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "line_hashes": [ "230072663310084089175982513313504748088", "6259933212960945363759512439742590211", "244027480212787933938087095833235155179", "186935689991447824842317656401726188282", "339235722208233662357141583005179863654", "14037304564656292801416866304333892763", "261938924265894917252525628797684902952", "90882651980427162856622663185591640338", "282610022381279507551684280526496726304" ], "threshold": 0.9 }, "id": "CVE-2024-35811-41c6ff3f" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bacb8c3ab86dcd760c15903fcee58169bc3026aa", "signature_type": "Function", "target": { "function": "brcmf_notify_escan_complete", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 1611.0, "function_hash": "202744169388390520869521841795547129579" }, "id": "CVE-2024-35811-4569de5e" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@202c503935042272e2f9e1bb549d5f69a8681169", "signature_type": "Line", "target": { "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "line_hashes": [ "230072663310084089175982513313504748088", "6259933212960945363759512439742590211", "244027480212787933938087095833235155179", "186935689991447824842317656401726188282", "339235722208233662357141583005179863654", "83354623015647542139012216050834332483", "127658352679417661744590956952447818555", "49438163835801798932492350272233636921", "282610022381279507551684280526496726304" ], "threshold": 0.9 }, "id": "CVE-2024-35811-50f1b7cb" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0a7591e14a8da794d0b93b5d1c6254ccb23adacb", "signature_type": "Function", "target": { "function": "brcmf_notify_escan_complete", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 1455.0, "function_hash": "276945095490196561705739881625198981823" }, "id": "CVE-2024-35811-5105e117" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@190794848e2b9d15de92d502b6ac652806904f5a", "signature_type": "Function", "target": { "function": "brcmf_cfg80211_detach", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 204.0, "function_hash": "172185116932255181406131961017411860839" }, "id": "CVE-2024-35811-651072b6" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@190794848e2b9d15de92d502b6ac652806904f5a", "signature_type": "Function", "target": { "function": "brcmf_notify_escan_complete", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 1455.0, "function_hash": "276945095490196561705739881625198981823" }, "id": "CVE-2024-35811-6b1013b9" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8c36205123dc57349b59b4f1a2301eb278cbc731", "signature_type": "Line", "target": { "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "line_hashes": [ "230072663310084089175982513313504748088", "6259933212960945363759512439742590211", "244027480212787933938087095833235155179", "186935689991447824842317656401726188282", "339235722208233662357141583005179863654", "14037304564656292801416866304333892763", "261938924265894917252525628797684902952", "90882651980427162856622663185591640338", "282610022381279507551684280526496726304" ], "threshold": 0.9 }, "id": "CVE-2024-35811-9033cfc5" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@190794848e2b9d15de92d502b6ac652806904f5a", "signature_type": "Line", "target": { "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "line_hashes": [ "230072663310084089175982513313504748088", "6259933212960945363759512439742590211", "244027480212787933938087095833235155179", "186935689991447824842317656401726188282", "294411093551994592905846005751366575199", "14037304564656292801416866304333892763", "261938924265894917252525628797684902952", "90882651980427162856622663185591640338", "282610022381279507551684280526496726304" ], "threshold": 0.9 }, "id": "CVE-2024-35811-946b2185" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0b812f706fd7090be74812101114a0e165b36744", "signature_type": "Function", "target": { "function": "brcmf_cfg80211_detach", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 204.0, "function_hash": "172185116932255181406131961017411860839" }, "id": "CVE-2024-35811-a0533bca" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bacb8c3ab86dcd760c15903fcee58169bc3026aa", "signature_type": "Function", "target": { "function": "brcmf_cfg80211_detach", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 204.0, "function_hash": "172185116932255181406131961017411860839" }, "id": "CVE-2024-35811-acd89642" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0a7591e14a8da794d0b93b5d1c6254ccb23adacb", "signature_type": "Function", "target": { "function": "brcmf_cfg80211_detach", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 204.0, "function_hash": "172185116932255181406131961017411860839" }, "id": "CVE-2024-35811-b025859a" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bacb8c3ab86dcd760c15903fcee58169bc3026aa", "signature_type": "Line", "target": { "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "line_hashes": [ "230072663310084089175982513313504748088", "6259933212960945363759512439742590211", "244027480212787933938087095833235155179", "186935689991447824842317656401726188282", "339235722208233662357141583005179863654", "14037304564656292801416866304333892763", "261938924265894917252525628797684902952", "90882651980427162856622663185591640338", "282610022381279507551684280526496726304" ], "threshold": 0.9 }, "id": "CVE-2024-35811-b9c335a3" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f7352557a35ab7888bc7831411ec8a3cbe20d78", "signature_type": "Line", "target": { "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "line_hashes": [ "230072663310084089175982513313504748088", "6259933212960945363759512439742590211", "244027480212787933938087095833235155179", "186935689991447824842317656401726188282", "294411093551994592905846005751366575199", "14037304564656292801416866304333892763", "261938924265894917252525628797684902952", "90882651980427162856622663185591640338", "282610022381279507551684280526496726304" ], "threshold": 0.9 }, "id": "CVE-2024-35811-d115161c" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8c36205123dc57349b59b4f1a2301eb278cbc731", "signature_type": "Function", "target": { "function": "brcmf_cfg80211_detach", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 204.0, "function_hash": "172185116932255181406131961017411860839" }, "id": "CVE-2024-35811-d7dc18b7" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f7352557a35ab7888bc7831411ec8a3cbe20d78", "signature_type": "Function", "target": { "function": "brcmf_cfg80211_detach", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 204.0, "function_hash": "172185116932255181406131961017411860839" }, "id": "CVE-2024-35811-d86e4a24" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@202c503935042272e2f9e1bb549d5f69a8681169", "signature_type": "Function", "target": { "function": "brcmf_cfg80211_detach", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 232.0, "function_hash": "300893583845306861342261190537039489003" }, "id": "CVE-2024-35811-dabb4ba7" }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f7352557a35ab7888bc7831411ec8a3cbe20d78", "signature_type": "Function", "target": { "function": "brcmf_notify_escan_complete", "file": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" }, "deprecated": false, "digest": { "length": 1455.0, "function_hash": "276945095490196561705739881625198981823" }, "id": "CVE-2024-35811-dd5a50d7" } ] }