Re: [PATCH v5 1/2] ath9k: fix use-after-free in ath9k_hif_usb_rx_cb
From: Takashi Iwai
Date: Fri Jun 10 2022 - 08:49:45 EST
On Sat, 21 May 2022 23:28:01 +0200,
Pavel Skripkin wrote:
>
> Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The
> problem was in incorrect htc_handle->drv_priv initialization.
>
> Probable call trace which can trigger use-after-free:
>
> ath9k_htc_probe_device()
> /* htc_handle->drv_priv = priv; */
> ath9k_htc_wait_for_target() <--- Failed
> ieee80211_free_hw() <--- priv pointer is freed
>
> <IRQ>
> ...
> ath9k_hif_usb_rx_cb()
> ath9k_hif_usb_rx_stream()
> RX_STAT_INC() <--- htc_handle->drv_priv access
>
> In order to not add fancy protection for drv_priv we can move
> htc_handle->drv_priv initialization at the end of the
> ath9k_htc_probe_device() and add helper macro to make
> all *_STAT_* macros NULL safe, since syzbot has reported related NULL
> deref in that macros [1]
>
> Link: https://syzkaller.appspot.com/bug?id=6ead44e37afb6866ac0c7dd121b4ce07cb665f60 [0]
> Link: https://syzkaller.appspot.com/bug?id=b8101ffcec107c0567a0cd8acbbacec91e9ee8de [1]
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Reported-and-tested-by: syzbot+03110230a11411024147@xxxxxxxxxxxxxxxxxxxxxxxxx
> Reported-and-tested-by: syzbot+c6dde1f690b60e0b9fbe@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
Hi Toke, any update on this?
I'm asking it because this is a fix for a security issue
(CVE-2022-1679 [*]), and distros have been waiting for the fix getting
merged to the upstream for weeks.
[*] https://nvd.nist.gov/vuln/detail/CVE-2022-1679
thanks,
Takashi