mac80211: CVE-2024-46760: rtw88: schedule rx work after everything is set up
link: https://lore.kernel.org/all/2024091842-CVE-2024-46760-1eb3@gregkh
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: usb: schedule rx work after everything is set up
Right now it's possible to hit NULL pointer dereference in
rtw_rx_fill_rx_status on hw object and/or its fields because
initialization routine can start getting USB replies before
rtw_dev is fully setup.
The stack trace looks like this:
rtw_rx_fill_rx_status
rtw8821c_query_rx_desc
rtw_usb_rx_handler
...
queue_work
rtw_usb_read_port_complete
...
usb_submit_urb
rtw_usb_rx_resubmit
rtw_usb_init_rx
rtw_usb_probe
So while we do the async stuff rtw_usb_probe continues and calls
rtw_register_hw, which does all kinds of initialization (e.g.
via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on.
Fix this by moving the first usb_submit_urb after everything
is set up.
For me, this bug manifested as:
[ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped
[ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status
because I'm using Larry's backport of rtw88 driver with the NULL
checks in rtw_rx_fill_rx_status.
The Linux kernel CVE team has assigned CVE-2024-46760 to this issue.
Affected and fixed versions
===========================
Fixed in 6.6.51 with commit
c83d464b82a8
Fixed in 6.10.10 with commit
25eaef533bf3
Fixed in 6.11 with commit
adc539784c98
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-46760
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/wireless/realtek/rtw88/usb.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/
c83d464b82a8ad62ec9077637f75d73fe955635a
https://git.kernel.org/stable/c/
25eaef533bf3ccc6fee5067aac16f41f280e343e
https://git.kernel.org/stable/c/
adc539784c98a7cc602cbf557debfc2e7b9be8b3
Signed-off-by: Antonio Flores <antflores627@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16420
Signed-off-by: Robert Marko <robimarko@gmail.com>