{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n ->brcmf_usb_probe_cb\n ->brcmf_attach\n ->brcmf_bus_started\n ->brcmf_cfg80211_attach\n ->wl_init_priv\n ->brcmf_init_escan\n ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n ->brcmf_usb_disconnect_cb\n ->brcmf_detach\n ->brcmf_cfg80211_detach\n ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]" } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" ], "versions": [ { "version": "e756af5b30b0", "lessThan": "202c50393504", "status": "affected", "versionType": "git" }, { "version": "e756af5b30b0", "lessThan": "8e3f03f4ef7c", "status": "affected", "versionType": "git" }, { "version": "e756af5b30b0", "lessThan": "bacb8c3ab86d", "status": "affected", "versionType": "git" }, { "version": "e756af5b30b0", "lessThan": "8c36205123dc", "status": "affected", "versionType": "git" }, { "version": "e756af5b30b0", "lessThan": "0b812f706fd7", "status": "affected", "versionType": "git" }, { "version": "e756af5b30b0", "lessThan": "190794848e2b", "status": "affected", "versionType": "git" }, { "version": "e756af5b30b0", "lessThan": "6678a1e7d896", "status": "affected", "versionType": "git" }, { "version": "e756af5b30b0", "lessThan": "0a7591e14a8d", "status": "affected", "versionType": "git" }, { "version": "e756af5b30b0", "lessThan": "0f7352557a35", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c" ], "versions": [ { "version": "3.7", "status": "affected" }, { "version": "0", "lessThan": "3.7", "status": "unaffected", "versionType": "custom" }, { "version": "4.19.312", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.4.274", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.215", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.15.154", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.1.84", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.6.24", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.7.12", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.8.3", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169" }, { "url": "https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1" }, { "url": "https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa" }, { "url": "https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731" }, { "url": "https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744" }, { "url": "https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a" }, { "url": "https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a" }, { "url": "https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb" }, { "url": "https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78" } ], "title": "wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach", "x_generator": { "engine": "bippy-a5840b7849dd" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2024-35811", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }