cve/published/2024/CVE-2024-26892.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26892: wifi: mt76: mt7921e: fix use-after-free in free_irq()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: mt76: mt7921e: fix use-after-free in free_irq()

 From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test
 to make sure the shared irq handler should be able to handle the unexpected
 event after deregistration. For this case, let's apply MT76_REMOVED flag to
 indicate the device was removed and do not run into the resource access
 anymore.

 BUG: KASAN: use-after-free in mt7921_irq_handler+0xd8/0x100 [mt7921e]
 Read of size 8 at addr ffff88824a7d3b78 by task rmmod/11115
 CPU: 28 PID: 11115 Comm: rmmod Tainted: G        W    L    5.17.0 #10
 Hardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I
 EDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024
 Call Trace:
  <TASK>
  dump_stack_lvl+0x6f/0xa0
  print_address_description.constprop.0+0x1f/0x190
  ? mt7921_irq_handler+0xd8/0x100 [mt7921e]
  ? mt7921_irq_handler+0xd8/0x100 [mt7921e]
  kasan_report.cold+0x7f/0x11b
  ? mt7921_irq_handler+0xd8/0x100 [mt7921e]
  mt7921_irq_handler+0xd8/0x100 [mt7921e]
  free_irq+0x627/0xaa0
  devm_free_irq+0x94/0xd0
  ? devm_request_any_context_irq+0x160/0x160
  ? kobject_put+0x18d/0x4a0
  mt7921_pci_remove+0x153/0x190 [mt7921e]
  pci_device_remove+0xa2/0x1d0
  __device_release_driver+0x346/0x6e0
  driver_detach+0x1ef/0x2c0
  bus_remove_driver+0xe7/0x2d0
  ? __check_object_size+0x57/0x310
  pci_unregister_driver+0x26/0x250
  __do_sys_delete_module+0x307/0x510
  ? free_module+0x6a0/0x6a0
  ? fpregs_assert_state_consistent+0x4b/0xb0
  ? rcu_read_lock_sched_held+0x10/0x70
  ? syscall_enter_from_user_mode+0x20/0x70
  ? trace_hardirqs_on+0x1c/0x130
  do_syscall_64+0x5c/0x80
  ? trace_hardirqs_on_prepare+0x72/0x160
  ? do_syscall_64+0x68/0x80
  ? trace_hardirqs_on_prepare+0x72/0x160
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 The Linux kernel CVE team has assigned CVE-2024-26892 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit 9270270d62191b7549296721e8d5f3dc0df01563 and fixed in 6.6.23 with commit c7dd42fbebcfb02bef070fd48f774d6412d0b49d
 	Issue introduced in 6.4 with commit 9270270d62191b7549296721e8d5f3dc0df01563 and fixed in 6.7.11 with commit bfe1adf1606f76c180324e53b130f0e76d5cc6c3
 	Issue introduced in 6.4 with commit 9270270d62191b7549296721e8d5f3dc0df01563 and fixed in 6.8.2 with commit bfeaef901194c5923ce3330272786eff2fac513a
 	Issue introduced in 6.4 with commit 9270270d62191b7549296721e8d5f3dc0df01563 and fixed in 6.9 with commit c957280ef6ab6bdf559a91ae693a6b34310697e3
 	Issue introduced in 6.2.15 with commit a76eaaaafd8b408238d7865bbbbd311f08988f3d
 	Issue introduced in 6.3.2 with commit 95e41ac30a0d0b3637f0b3c93235a7a107a2fb7f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26892
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/mediatek/mt76/mt7921/pci.c
 	drivers/net/wireless/mediatek/mt76/mt792x_dma.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c7dd42fbebcfb02bef070fd48f774d6412d0b49d
 	https://git.kernel.org/stable/c/bfe1adf1606f76c180324e53b130f0e76d5cc6c3
 	https://git.kernel.org/stable/c/bfeaef901194c5923ce3330272786eff2fac513a
 	https://git.kernel.org/stable/c/c957280ef6ab6bdf559a91ae693a6b34310697e3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26892: wifi: mt76: mt7921e: fix use-after-free in free_irq()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: mt76: mt7921e: fix use-after-free in free_irq()

	From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test
	to make sure the shared irq handler should be able to handle the unexpected
	event after deregistration. For this case, let's apply MT76_REMOVED flag to
	indicate the device was removed and do not run into the resource access
	anymore.

	BUG: KASAN: use-after-free in mt7921_irq_handler+0xd8/0x100 [mt7921e]
	Read of size 8 at addr ffff88824a7d3b78 by task rmmod/11115
	CPU: 28 PID: 11115 Comm: rmmod Tainted: G W L 5.17.0 #10
	Hardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I
	EDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024
	Call Trace:
	<TASK>
	dump_stack_lvl+0x6f/0xa0
	print_address_description.constprop.0+0x1f/0x190
	? mt7921_irq_handler+0xd8/0x100 [mt7921e]
	? mt7921_irq_handler+0xd8/0x100 [mt7921e]
	kasan_report.cold+0x7f/0x11b
	? mt7921_irq_handler+0xd8/0x100 [mt7921e]
	mt7921_irq_handler+0xd8/0x100 [mt7921e]
	free_irq+0x627/0xaa0
	devm_free_irq+0x94/0xd0
	? devm_request_any_context_irq+0x160/0x160
	? kobject_put+0x18d/0x4a0
	mt7921_pci_remove+0x153/0x190 [mt7921e]
	pci_device_remove+0xa2/0x1d0
	__device_release_driver+0x346/0x6e0
	driver_detach+0x1ef/0x2c0
	bus_remove_driver+0xe7/0x2d0
	? __check_object_size+0x57/0x310
	pci_unregister_driver+0x26/0x250
	__do_sys_delete_module+0x307/0x510
	? free_module+0x6a0/0x6a0
	? fpregs_assert_state_consistent+0x4b/0xb0
	? rcu_read_lock_sched_held+0x10/0x70
	? syscall_enter_from_user_mode+0x20/0x70
	? trace_hardirqs_on+0x1c/0x130
	do_syscall_64+0x5c/0x80
	? trace_hardirqs_on_prepare+0x72/0x160
	? do_syscall_64+0x68/0x80
	? trace_hardirqs_on_prepare+0x72/0x160
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	The Linux kernel CVE team has assigned CVE-2024-26892 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit 9270270d62191b7549296721e8d5f3dc0df01563 and fixed in 6.6.23 with commit c7dd42fbebcfb02bef070fd48f774d6412d0b49d
	Issue introduced in 6.4 with commit 9270270d62191b7549296721e8d5f3dc0df01563 and fixed in 6.7.11 with commit bfe1adf1606f76c180324e53b130f0e76d5cc6c3
	Issue introduced in 6.4 with commit 9270270d62191b7549296721e8d5f3dc0df01563 and fixed in 6.8.2 with commit bfeaef901194c5923ce3330272786eff2fac513a
	Issue introduced in 6.4 with commit 9270270d62191b7549296721e8d5f3dc0df01563 and fixed in 6.9 with commit c957280ef6ab6bdf559a91ae693a6b34310697e3
	Issue introduced in 6.2.15 with commit a76eaaaafd8b408238d7865bbbbd311f08988f3d
	Issue introduced in 6.3.2 with commit 95e41ac30a0d0b3637f0b3c93235a7a107a2fb7f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26892
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/mediatek/mt76/mt7921/pci.c
	drivers/net/wireless/mediatek/mt76/mt792x_dma.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c7dd42fbebcfb02bef070fd48f774d6412d0b49d
	https://git.kernel.org/stable/c/bfe1adf1606f76c180324e53b130f0e76d5cc6c3
	https://git.kernel.org/stable/c/bfeaef901194c5923ce3330272786eff2fac513a
	https://git.kernel.org/stable/c/c957280ef6ab6bdf559a91ae693a6b34310697e3