cve/published/2024/CVE-2024-57992.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57992: wifi: wilc1000: unregister wiphy only if it has been registered

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: wilc1000: unregister wiphy only if it has been registered

 There is a specific error path in probe functions in wilc drivers (both
 sdio and spi) which can lead to kernel panic, as this one for example
 when using SPI:

 Unable to handle kernel paging request at virtual address 9f000000 when read
 [9f000000] *pgd=00000000
 Internal error: Oops: 5 [#1] ARM
 Modules linked in: wilc1000_spi(+) crc_itu_t crc7 wilc1000 cfg80211 bluetooth ecdh_generic ecc
 CPU: 0 UID: 0 PID: 106 Comm: modprobe Not tainted 6.13.0-rc3+ #22
 Hardware name: Atmel SAMA5
 PC is at wiphy_unregister+0x244/0xc40 [cfg80211]
 LR is at wiphy_unregister+0x1c0/0xc40 [cfg80211]
 [...]
  wiphy_unregister [cfg80211] from wilc_netdev_cleanup+0x380/0x494 [wilc1000]
  wilc_netdev_cleanup [wilc1000] from wilc_bus_probe+0x360/0x834 [wilc1000_spi]
  wilc_bus_probe [wilc1000_spi] from spi_probe+0x15c/0x1d4
  spi_probe from really_probe+0x270/0xb2c
  really_probe from __driver_probe_device+0x1dc/0x4e8
  __driver_probe_device from driver_probe_device+0x5c/0x140
  driver_probe_device from __driver_attach+0x220/0x540
  __driver_attach from bus_for_each_dev+0x13c/0x1a8
  bus_for_each_dev from bus_add_driver+0x2a0/0x6a4
  bus_add_driver from driver_register+0x27c/0x51c
  driver_register from do_one_initcall+0xf8/0x564
  do_one_initcall from do_init_module+0x2e4/0x82c
  do_init_module from load_module+0x59a0/0x70c4
  load_module from init_module_from_file+0x100/0x148
  init_module_from_file from sys_finit_module+0x2fc/0x924
  sys_finit_module from ret_fast_syscall+0x0/0x1c

 The issue can easily be reproduced, for example by not wiring correctly
 a wilc device through SPI (and so, make it unresponsive to early SPI
 commands). It is due to a recent change decoupling wiphy allocation from
 wiphy registration, however wilc_netdev_cleanup has not been updated
 accordingly, letting it possibly call wiphy unregister on a wiphy which
 has never been registered.

 Fix this crash by moving wiphy_unregister/wiphy_free out of
 wilc_netdev_cleanup, and by adjusting error paths in both drivers

 The Linux kernel CVE team has assigned CVE-2024-57992 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.13 with commit fbdf0c5248dce4b55181e9aff8f1b61819ba6bd7 and fixed in 6.13.2 with commit c7115b8229f3e6cdfae43b1cdd180f5b6c67cd70
 	Issue introduced in 6.13 with commit fbdf0c5248dce4b55181e9aff8f1b61819ba6bd7 and fixed in 6.14 with commit 1be94490b6b8a06ff14cd23fda8714e6ec37cdfb

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57992
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/microchip/wilc1000/netdev.c
 	drivers/net/wireless/microchip/wilc1000/sdio.c
 	drivers/net/wireless/microchip/wilc1000/spi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c7115b8229f3e6cdfae43b1cdd180f5b6c67cd70
 	https://git.kernel.org/stable/c/1be94490b6b8a06ff14cd23fda8714e6ec37cdfb
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57992: wifi: wilc1000: unregister wiphy only if it has been registered

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: wilc1000: unregister wiphy only if it has been registered

	There is a specific error path in probe functions in wilc drivers (both
	sdio and spi) which can lead to kernel panic, as this one for example
	when using SPI:

	Unable to handle kernel paging request at virtual address 9f000000 when read
	[9f000000] *pgd=00000000
	Internal error: Oops: 5 [#1] ARM
	Modules linked in: wilc1000_spi(+) crc_itu_t crc7 wilc1000 cfg80211 bluetooth ecdh_generic ecc
	CPU: 0 UID: 0 PID: 106 Comm: modprobe Not tainted 6.13.0-rc3+ #22
	Hardware name: Atmel SAMA5
	PC is at wiphy_unregister+0x244/0xc40 [cfg80211]
	LR is at wiphy_unregister+0x1c0/0xc40 [cfg80211]
	[...]
	wiphy_unregister [cfg80211] from wilc_netdev_cleanup+0x380/0x494 [wilc1000]
	wilc_netdev_cleanup [wilc1000] from wilc_bus_probe+0x360/0x834 [wilc1000_spi]
	wilc_bus_probe [wilc1000_spi] from spi_probe+0x15c/0x1d4
	spi_probe from really_probe+0x270/0xb2c
	really_probe from __driver_probe_device+0x1dc/0x4e8
	__driver_probe_device from driver_probe_device+0x5c/0x140
	driver_probe_device from __driver_attach+0x220/0x540
	__driver_attach from bus_for_each_dev+0x13c/0x1a8
	bus_for_each_dev from bus_add_driver+0x2a0/0x6a4
	bus_add_driver from driver_register+0x27c/0x51c
	driver_register from do_one_initcall+0xf8/0x564
	do_one_initcall from do_init_module+0x2e4/0x82c
	do_init_module from load_module+0x59a0/0x70c4
	load_module from init_module_from_file+0x100/0x148
	init_module_from_file from sys_finit_module+0x2fc/0x924
	sys_finit_module from ret_fast_syscall+0x0/0x1c

	The issue can easily be reproduced, for example by not wiring correctly
	a wilc device through SPI (and so, make it unresponsive to early SPI
	commands). It is due to a recent change decoupling wiphy allocation from
	wiphy registration, however wilc_netdev_cleanup has not been updated
	accordingly, letting it possibly call wiphy unregister on a wiphy which
	has never been registered.

	Fix this crash by moving wiphy_unregister/wiphy_free out of
	wilc_netdev_cleanup, and by adjusting error paths in both drivers

	The Linux kernel CVE team has assigned CVE-2024-57992 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.13 with commit fbdf0c5248dce4b55181e9aff8f1b61819ba6bd7 and fixed in 6.13.2 with commit c7115b8229f3e6cdfae43b1cdd180f5b6c67cd70
	Issue introduced in 6.13 with commit fbdf0c5248dce4b55181e9aff8f1b61819ba6bd7 and fixed in 6.14 with commit 1be94490b6b8a06ff14cd23fda8714e6ec37cdfb

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57992
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/microchip/wilc1000/netdev.c
	drivers/net/wireless/microchip/wilc1000/sdio.c
	drivers/net/wireless/microchip/wilc1000/spi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c7115b8229f3e6cdfae43b1cdd180f5b6c67cd70
	https://git.kernel.org/stable/c/1be94490b6b8a06ff14cd23fda8714e6ec37cdfb