| Description: | In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach This
is the candidate patch of CVE-2023-47233 :
https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it
starts with the following invoking chain to start init a timeout
worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach
->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv
->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work,
brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by
hotplug, it will call brcmf_usb_disconnect to make cleanup. The
invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb
->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout
woker may still be running. This will cause a use-after-free bug on
cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the
timer and canceling the worker in brcmf_cfg80211_detach.
[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work
just before free]
|
