mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
113 lines
7.7 KiB
JSON
113 lines
7.7 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2024-56541",
|
|
"ASSIGNER": "cve@kernel.org",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()\n\nDuring ath12k module removal, in ath12k_core_deinit(),\nath12k_mac_destroy() un-registers ah->hw from mac80211 and frees\nthe ah->hw as well as all the ar's in it. After this\nath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup()\ntries to access one of the freed ar's from pending skb.\n\nThis is because during mac destroy, driver failed to flush few\ndata packets, which were accessed later in ath12k_dp_cc_cleanup()\nand freed, but using ar from the packet led to this use-after-free.\n\nBUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\nWrite of size 4 at addr ffff888150bd3514 by task modprobe/8926\nCPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted\n6.11.0-rc2-wt-ath+ #1746\nHardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS\nHNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n\nCall Trace:\n <TASK>\n dump_stack_lvl+0x7d/0xe0\n print_address_description.constprop.0+0x33/0x3a0\n print_report+0xb5/0x260\n ? kasan_addr_to_slab+0x24/0x80\n kasan_report+0xd8/0x110\n ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n kasan_check_range+0xf3/0x1a0\n __kasan_check_write+0x14/0x20\n ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n ath12k_dp_free+0x178/0x420 [ath12k]\n ath12k_core_stop+0x176/0x200 [ath12k]\n ath12k_core_deinit+0x13f/0x210 [ath12k]\n ath12k_pci_remove+0xad/0x1c0 [ath12k]\n pci_device_remove+0x9b/0x1b0\n device_remove+0xbf/0x150\n device_release_driver_internal+0x3c3/0x580\n ? __kasan_check_read+0x11/0x20\n driver_detach+0xc4/0x190\n bus_remove_driver+0x130/0x2a0\n driver_unregister+0x68/0x90\n pci_unregister_driver+0x24/0x240\n ? find_module_all+0x13e/0x1e0\n ath12k_pci_exit+0x10/0x20 [ath12k]\n __do_sys_delete_module+0x32c/0x580\n ? module_flags+0x2f0/0x2f0\n ? kmem_cache_free+0xf0/0x410\n ? __fput+0x56f/0xab0\n ? __fput+0x56f/0xab0\n ? debug_smp_processor_id+0x17/0x20\n __x64_sys_delete_module+0x4f/0x70\n x64_sys_call+0x522/0x9f0\n do_syscall_64+0x64/0x130\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f8182c6ac8b\n\nCommit 24de1b7b231c (\"wifi: ath12k: fix flush failure in recovery\nscenarios\") added the change to decrement the pending packets count\nin case of recovery which make sense as ah->hw as well all\nar's in it are intact during recovery, but during core deinit there\nis no use in decrementing packets count or waking up the empty waitq\nas the module is going to be removed also ar's from pending skb's\ncan't be used and the packets should just be released back.\n\nTo fix this, avoid accessing ar from skb->cb when driver is being\nunregistered.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "n/a"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Linux",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Linux",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "24de1b7b231cf01d08d12db26e66b0c46253a7da",
|
|
"version_value": "e5e15c8b42923bfb6c84d3d906a9965d9a0f111d"
|
|
},
|
|
{
|
|
"version_value": "not down converted",
|
|
"x_cve_json_5_version_data": {
|
|
"versions": [
|
|
{
|
|
"version": "6.10",
|
|
"status": "affected"
|
|
},
|
|
{
|
|
"version": "0",
|
|
"lessThan": "6.10",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.11.11",
|
|
"lessThanOrEqual": "6.11.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.12.2",
|
|
"lessThanOrEqual": "6.12.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.13-rc1",
|
|
"lessThanOrEqual": "*",
|
|
"status": "unaffected",
|
|
"versionType": "original_commit_for_fix"
|
|
}
|
|
],
|
|
"defaultStatus": "affected"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/e5e15c8b42923bfb6c84d3d906a9965d9a0f111d",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/e5e15c8b42923bfb6c84d3d906a9965d9a0f111d"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/35be5018a2a4d1b07bdfcf957c81121d22d16355",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/35be5018a2a4d1b07bdfcf957c81121d22d16355"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/bdb281103373fd80eb5c91cede1e115ba270b4e9",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/bdb281103373fd80eb5c91cede1e115ba270b4e9"
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "bippy-5f407fcff5a0"
|
|
}
|
|
} |