cve/published/2024/CVE-2024-47712.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47712: wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param

 In the `wilc_parse_join_bss_param` function, the TSF field of the `ies`
 structure is accessed after the RCU read-side critical section is
 unlocked. According to RCU usage rules, this is illegal. Reusing this
 pointer can lead to unpredictable behavior, including accessing memory
 that has been updated or causing use-after-free issues.

 This possible bug was identified using a static analysis tool developed
 by myself, specifically designed to detect RCU-related issues.

 To address this, the TSF value is now stored in a local variable
 `ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is
 then assigned using this local variable, ensuring that the TSF value is
 safely accessed.

 The Linux kernel CVE team has assigned CVE-2024-47712 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.273 with commit e556006de4ea93abe2b46cba202a2556c544b8b2 and fixed in 5.4.285 with commit 5a24cedc243ace5ed7c1016f52a7bfc8f5b07815
 	Issue introduced in 5.10.214 with commit b4bbf38c350acb6500cbe667b1e2e68f896e4b38 and fixed in 5.10.227 with commit 557418e1704605a81c9e26732449f71b1d40ba1e
 	Issue introduced in 5.15.153 with commit d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2 and fixed in 5.15.168 with commit bf090f4fe935294361eabd9dc5a949fdd77d3d1b
 	Issue introduced in 6.1.83 with commit 745003b5917b610352f52fe0d11ef658d6471ec2 and fixed in 6.1.113 with commit b040b71d99ee5e17bb7a743dc01cbfcae8908ce1
 	Issue introduced in 6.6.23 with commit 4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce and fixed in 6.6.54 with commit 84398204c5df5aaf89453056cf0647cda9664d2b
 	Issue introduced in 6.9 with commit 205c50306acf58a335eb19fa84e40140f4fe814f and fixed in 6.10.13 with commit 2f944e6255c2fc1c9bd9ee32f6b14ee0b2a51eb5
 	Issue introduced in 6.9 with commit 205c50306acf58a335eb19fa84e40140f4fe814f and fixed in 6.11.2 with commit 79510414a7626317f13cc9073244ab7a8deb3192
 	Issue introduced in 6.9 with commit 205c50306acf58a335eb19fa84e40140f4fe814f and fixed in 6.12 with commit 6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8
 	Issue introduced in 6.7.11 with commit 5800ec78775c0cd646f71eb9bf8402fb794807de
 	Issue introduced in 6.8.2 with commit dd50d3ead6e3707bb0a5df7cc832730c93ace3a7

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47712
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/microchip/wilc1000/hif.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5a24cedc243ace5ed7c1016f52a7bfc8f5b07815
 	https://git.kernel.org/stable/c/557418e1704605a81c9e26732449f71b1d40ba1e
 	https://git.kernel.org/stable/c/bf090f4fe935294361eabd9dc5a949fdd77d3d1b
 	https://git.kernel.org/stable/c/b040b71d99ee5e17bb7a743dc01cbfcae8908ce1
 	https://git.kernel.org/stable/c/84398204c5df5aaf89453056cf0647cda9664d2b
 	https://git.kernel.org/stable/c/2f944e6255c2fc1c9bd9ee32f6b14ee0b2a51eb5
 	https://git.kernel.org/stable/c/79510414a7626317f13cc9073244ab7a8deb3192
 	https://git.kernel.org/stable/c/6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47712: wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param

	In the `wilc_parse_join_bss_param` function, the TSF field of the `ies`
	structure is accessed after the RCU read-side critical section is
	unlocked. According to RCU usage rules, this is illegal. Reusing this
	pointer can lead to unpredictable behavior, including accessing memory
	that has been updated or causing use-after-free issues.

	This possible bug was identified using a static analysis tool developed
	by myself, specifically designed to detect RCU-related issues.

	To address this, the TSF value is now stored in a local variable
	`ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is
	then assigned using this local variable, ensuring that the TSF value is
	safely accessed.

	The Linux kernel CVE team has assigned CVE-2024-47712 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.273 with commit e556006de4ea93abe2b46cba202a2556c544b8b2 and fixed in 5.4.285 with commit 5a24cedc243ace5ed7c1016f52a7bfc8f5b07815
	Issue introduced in 5.10.214 with commit b4bbf38c350acb6500cbe667b1e2e68f896e4b38 and fixed in 5.10.227 with commit 557418e1704605a81c9e26732449f71b1d40ba1e
	Issue introduced in 5.15.153 with commit d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2 and fixed in 5.15.168 with commit bf090f4fe935294361eabd9dc5a949fdd77d3d1b
	Issue introduced in 6.1.83 with commit 745003b5917b610352f52fe0d11ef658d6471ec2 and fixed in 6.1.113 with commit b040b71d99ee5e17bb7a743dc01cbfcae8908ce1
	Issue introduced in 6.6.23 with commit 4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce and fixed in 6.6.54 with commit 84398204c5df5aaf89453056cf0647cda9664d2b
	Issue introduced in 6.9 with commit 205c50306acf58a335eb19fa84e40140f4fe814f and fixed in 6.10.13 with commit 2f944e6255c2fc1c9bd9ee32f6b14ee0b2a51eb5
	Issue introduced in 6.9 with commit 205c50306acf58a335eb19fa84e40140f4fe814f and fixed in 6.11.2 with commit 79510414a7626317f13cc9073244ab7a8deb3192
	Issue introduced in 6.9 with commit 205c50306acf58a335eb19fa84e40140f4fe814f and fixed in 6.12 with commit 6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8
	Issue introduced in 6.7.11 with commit 5800ec78775c0cd646f71eb9bf8402fb794807de
	Issue introduced in 6.8.2 with commit dd50d3ead6e3707bb0a5df7cc832730c93ace3a7

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47712
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/microchip/wilc1000/hif.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5a24cedc243ace5ed7c1016f52a7bfc8f5b07815
	https://git.kernel.org/stable/c/557418e1704605a81c9e26732449f71b1d40ba1e
	https://git.kernel.org/stable/c/bf090f4fe935294361eabd9dc5a949fdd77d3d1b
	https://git.kernel.org/stable/c/b040b71d99ee5e17bb7a743dc01cbfcae8908ce1
	https://git.kernel.org/stable/c/84398204c5df5aaf89453056cf0647cda9664d2b
	https://git.kernel.org/stable/c/2f944e6255c2fc1c9bd9ee32f6b14ee0b2a51eb5
	https://git.kernel.org/stable/c/79510414a7626317f13cc9073244ab7a8deb3192
	https://git.kernel.org/stable/c/6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8