proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2025-12-07 20:37:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b07e3c6ebc
mirror_ubuntu-kernels/drivers/net/wireless
History
Zekun Shen b07e3c6ebc rsi: Fix use-after-free in rsi_rx_done_handler() 
When freeing rx_cb->rx_skb, the pointer is not set to NULL,
a later rsi_rx_done_handler call will try to read the freed
address.
This bug will very likley lead to double free, although
detected early as use-after-free bug.

The bug is triggerable with a compromised/malfunctional usb
device. After applying the patch, the same input no longer
triggers the use-after-free.

Attached is the kasan report from fuzzing.

BUG: KASAN: use-after-free in rsi_rx_done_handler+0x354/0x430 [rsi_usb]
Read of size 4 at addr ffff8880188e5930 by task modprobe/231
Call Trace:
 <IRQ>
 dump_stack+0x76/0xa0
 print_address_description.constprop.0+0x16/0x200
 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
 __kasan_report.cold+0x37/0x7c
 ? dma_direct_unmap_page+0x90/0x110
 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
 kasan_report+0xe/0x20
 rsi_rx_done_handler+0x354/0x430 [rsi_usb]
 __usb_hcd_giveback_urb+0x1e4/0x380
 usb_giveback_urb_bh+0x241/0x4f0
 ? __usb_hcd_giveback_urb+0x380/0x380
 ? apic_timer_interrupt+0xa/0x20
 tasklet_action_common.isra.0+0x135/0x330
 __do_softirq+0x18c/0x634
 ? handle_irq_event+0xcd/0x157
 ? handle_edge_irq+0x1eb/0x7b0
 irq_exit+0x114/0x140
 do_IRQ+0x91/0x1e0
 common_interrupt+0xf/0xf
 </IRQ>

Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/YXxQL/vIiYcZUu/j@10-18-43-117.dynapool.wireless.nyu.edu
2021-11-29 12:43:15 +02:00
..
admtek module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
ath Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git 2021-11-19 15:32:01 +02:00
atmel atmel: use eth_hw_addr_set() 2021-10-20 12:39:44 +03:00
broadcom brcmfmac: Configure keep-alive packet on suspend 2021-11-29 12:24:59 +02:00
cisco airo: use eth_hw_addr_set() 2021-10-20 12:39:45 +03:00
intel iwlwifi: mvm: read the rfkill state and feed it to iwlmei 2021-11-26 18:31:48 +02:00
intersil hostap: use eth_hw_addr_set() 2021-10-20 12:39:46 +03:00
marvell mwifiex: Ignore BTCOEX events from the 88W8897 firmware 2021-11-26 18:30:13 +02:00
mediatek mt76: connac: fix unresolved symbols when CONFIG_PM is unset 2021-10-23 13:23:45 +02:00
microchip wilc1000: remove '-Wunused-but-set-variable' warning in chip_wakeup() 2021-11-26 18:32:51 +02:00
quantenna wireless: use eth_hw_addr_set() instead of ether_addr_copy() 2021-10-20 12:39:42 +03:00
ralink rt2x00: remove duplicate USB device ID 2021-09-21 18:09:38 +03:00
realtek rtw88: add quirk to disable pci caps on HP 250 G7 Notebook PC 2021-11-26 18:20:38 +02:00
rsi rsi: Fix use-after-free in rsi_rx_done_handler() 2021-11-29 12:43:15 +02:00
st wireless: Remove redundant 'flush_workqueue()' calls 2021-10-13 09:22:19 +03:00
ti wlcore: spi: Use dev_err_probe() 2021-10-27 10:31:33 +03:00
zydas zd1201: use eth_hw_addr_set() 2021-10-20 12:39:47 +03:00
Kconfig
mac80211_hwsim.c Quite a few changes: 2021-10-22 10:20:56 -07:00
mac80211_hwsim.h
Makefile
ray_cs.c ray_cs: use eth_hw_addr_set() 2021-10-20 12:39:46 +03:00
ray_cs.h
rayctl.h
rndis_wlan.c wireless: Remove redundant 'flush_workqueue()' calls 2021-10-13 09:22:19 +03:00
virt_wifi.c virt_wifi: fix error on connect 2021-07-23 10:34:31 +02:00
wl3501_cs.c wl3501_cs: use eth_hw_addr_set() 2021-10-20 12:39:47 +03:00
wl3501.h wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join 2021-04-22 17:38:41 +03:00