ACK: [SRU][M/J/F][PATCH 0/1] CVE-2023-47233
Tim Gardner
tim.gardner at canonical.com
Thu Apr 4 13:56:45 UTC 2024
On 4/3/24 9:26 AM, Bethany Jamison wrote:
> [Impact]
>
> The brcm80211 component in the Linux kernel through 6.5.10 has a
> brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect
> the USB by hotplug) code. For physically proximate attackers with local
> access, this "could be exploited in a real world scenario." This is related
> to brcmf_cfg80211_escan_timeout_worker in
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.
>
> [Fix]
>
> Mantic: Clean cherry-pick.
> Jammy: Mantic patch applied cleanly.
> Focal: Backport - used del_timer_sync in place of timer_delete_sync.
> Bionic: fix sent to esm ML
> Xenial: fix sent to esm ML
> Trusty: not going to be fixed by us
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use the brcm80211 driver who then disconnect
> the USB via hotplug, issues with this fix would be visable via some
> undefined behavior from the system. This fix has a fairly low risk of
> regression though the risk is slightly increased in Focal because I had
> to swap the timer deletion sync functions.
>
> Zheng Wang (1):
> wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
>
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list