cve/published/2024/CVE-2024-27053.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-27053: wifi: wilc1000: fix RCU usage in connect path

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: wilc1000: fix RCU usage in connect path

 With lockdep enabled, calls to the connect function from cfg802.11 layer
 lead to the following warning:

 =============================
 WARNING: suspicious RCU usage
 6.7.0-rc1-wt+ #333 Not tainted
 -----------------------------
 drivers/net/wireless/microchip/wilc1000/hif.c:386
 suspicious rcu_dereference_check() usage!
 [...]
 stack backtrace:
 CPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333
 Hardware name: Atmel SAMA5
  unwind_backtrace from show_stack+0x18/0x1c
  show_stack from dump_stack_lvl+0x34/0x48
  dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4
  wilc_parse_join_bss_param from connect+0x2c4/0x648
  connect from cfg80211_connect+0x30c/0xb74
  cfg80211_connect from nl80211_connect+0x860/0xa94
  nl80211_connect from genl_rcv_msg+0x3fc/0x59c
  genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8
  netlink_rcv_skb from genl_rcv+0x2c/0x3c
  genl_rcv from netlink_unicast+0x3b0/0x550
  netlink_unicast from netlink_sendmsg+0x368/0x688
  netlink_sendmsg from ____sys_sendmsg+0x190/0x430
  ____sys_sendmsg from ___sys_sendmsg+0x110/0x158
  ___sys_sendmsg from sys_sendmsg+0xe8/0x150
  sys_sendmsg from ret_fast_syscall+0x0/0x1c

 This warning is emitted because in the connect path, when trying to parse
 target BSS parameters, we dereference a RCU pointer whithout being in RCU
 critical section.
 Fix RCU dereference usage by moving it to a RCU read critical section. To
 avoid wrapping the whole wilc_parse_join_bss_param under the critical
 section, just use the critical section to copy ies data

 The Linux kernel CVE team has assigned CVE-2024-27053 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 5.4.273 with commit e556006de4ea93abe2b46cba202a2556c544b8b2
 	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 5.10.214 with commit b4bbf38c350acb6500cbe667b1e2e68f896e4b38
 	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 5.15.153 with commit d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2
 	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 6.1.83 with commit 745003b5917b610352f52fe0d11ef658d6471ec2
 	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 6.6.23 with commit 4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce
 	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 6.7.11 with commit 5800ec78775c0cd646f71eb9bf8402fb794807de
 	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 6.8.2 with commit dd50d3ead6e3707bb0a5df7cc832730c93ace3a7
 	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 6.9 with commit 205c50306acf58a335eb19fa84e40140f4fe814f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-27053
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/microchip/wilc1000/hif.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e556006de4ea93abe2b46cba202a2556c544b8b2
 	https://git.kernel.org/stable/c/b4bbf38c350acb6500cbe667b1e2e68f896e4b38
 	https://git.kernel.org/stable/c/d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2
 	https://git.kernel.org/stable/c/745003b5917b610352f52fe0d11ef658d6471ec2
 	https://git.kernel.org/stable/c/4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce
 	https://git.kernel.org/stable/c/5800ec78775c0cd646f71eb9bf8402fb794807de
 	https://git.kernel.org/stable/c/dd50d3ead6e3707bb0a5df7cc832730c93ace3a7
 	https://git.kernel.org/stable/c/205c50306acf58a335eb19fa84e40140f4fe814f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-27053: wifi: wilc1000: fix RCU usage in connect path

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: wilc1000: fix RCU usage in connect path

	With lockdep enabled, calls to the connect function from cfg802.11 layer
	lead to the following warning:

	=============================
	WARNING: suspicious RCU usage
	6.7.0-rc1-wt+ #333 Not tainted
	-----------------------------
	drivers/net/wireless/microchip/wilc1000/hif.c:386
	suspicious rcu_dereference_check() usage!
	[...]
	stack backtrace:
	CPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333
	Hardware name: Atmel SAMA5
	unwind_backtrace from show_stack+0x18/0x1c
	show_stack from dump_stack_lvl+0x34/0x48
	dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4
	wilc_parse_join_bss_param from connect+0x2c4/0x648
	connect from cfg80211_connect+0x30c/0xb74
	cfg80211_connect from nl80211_connect+0x860/0xa94
	nl80211_connect from genl_rcv_msg+0x3fc/0x59c
	genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8
	netlink_rcv_skb from genl_rcv+0x2c/0x3c
	genl_rcv from netlink_unicast+0x3b0/0x550
	netlink_unicast from netlink_sendmsg+0x368/0x688
	netlink_sendmsg from ____sys_sendmsg+0x190/0x430
	____sys_sendmsg from ___sys_sendmsg+0x110/0x158
	___sys_sendmsg from sys_sendmsg+0xe8/0x150
	sys_sendmsg from ret_fast_syscall+0x0/0x1c

	This warning is emitted because in the connect path, when trying to parse
	target BSS parameters, we dereference a RCU pointer whithout being in RCU
	critical section.
	Fix RCU dereference usage by moving it to a RCU read critical section. To
	avoid wrapping the whole wilc_parse_join_bss_param under the critical
	section, just use the critical section to copy ies data

	The Linux kernel CVE team has assigned CVE-2024-27053 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 5.4.273 with commit e556006de4ea93abe2b46cba202a2556c544b8b2
	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 5.10.214 with commit b4bbf38c350acb6500cbe667b1e2e68f896e4b38
	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 5.15.153 with commit d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2
	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 6.1.83 with commit 745003b5917b610352f52fe0d11ef658d6471ec2
	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 6.6.23 with commit 4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce
	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 6.7.11 with commit 5800ec78775c0cd646f71eb9bf8402fb794807de
	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 6.8.2 with commit dd50d3ead6e3707bb0a5df7cc832730c93ace3a7
	Issue introduced in 5.1 with commit c460495ee072fc01a9b1e8d72c179510418cafac and fixed in 6.9 with commit 205c50306acf58a335eb19fa84e40140f4fe814f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-27053
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/microchip/wilc1000/hif.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e556006de4ea93abe2b46cba202a2556c544b8b2
	https://git.kernel.org/stable/c/b4bbf38c350acb6500cbe667b1e2e68f896e4b38
	https://git.kernel.org/stable/c/d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2
	https://git.kernel.org/stable/c/745003b5917b610352f52fe0d11ef658d6471ec2
	https://git.kernel.org/stable/c/4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce
	https://git.kernel.org/stable/c/5800ec78775c0cd646f71eb9bf8402fb794807de
	https://git.kernel.org/stable/c/dd50d3ead6e3707bb0a5df7cc832730c93ace3a7
	https://git.kernel.org/stable/c/205c50306acf58a335eb19fa84e40140f4fe814f