CVE-2024-35811

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach<br /> <br /> This is the candidate patch of CVE-2023-47233 :<br /> https://nvd.nist.gov/vuln/detail/CVE-2023-47233<br /> <br /> In brcm80211 driver,it starts with the following invoking chain<br /> to start init a timeout worker:<br /> <br /> -&gt;brcmf_usb_probe<br /> -&gt;brcmf_usb_probe_cb<br /> -&gt;brcmf_attach<br /> -&gt;brcmf_bus_started<br /> -&gt;brcmf_cfg80211_attach<br /> -&gt;wl_init_priv<br /> -&gt;brcmf_init_escan<br /> -&gt;INIT_WORK(&amp;cfg-&gt;escan_timeout_work,<br /> brcmf_cfg80211_escan_timeout_worker);<br /> <br /> If we disconnect the USB by hotplug, it will call<br /> brcmf_usb_disconnect to make cleanup. The invoking chain is :<br /> <br /> brcmf_usb_disconnect<br /> -&gt;brcmf_usb_disconnect_cb<br /> -&gt;brcmf_detach<br /> -&gt;brcmf_cfg80211_detach<br /> -&gt;kfree(cfg);<br /> <br /> While the timeout woker may still be running. This will cause<br /> a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.<br /> <br /> Fix it by deleting the timer and canceling the worker in<br /> brcmf_cfg80211_detach.<br /> <br /> [arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]