CVE-2023-53641

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath9k: hif_usb: fix memory leak of remain_skbs<br /> <br /> hif_dev-&gt;remain_skb is allocated and used exclusively in<br /> ath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is<br /> processed and subsequently freed (in error paths) only during the next<br /> call of ath9k_hif_usb_rx_stream().<br /> <br /> So, if the urbs are deallocated between those two calls due to the device<br /> deinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream()<br /> is not called next time and the allocated remain_skb is leaked. Our local<br /> Syzkaller instance was able to trigger that.<br /> <br /> remain_skb makes sense when receiving two consecutive urbs which are<br /> logically linked together, i.e. a specific data field from the first skb<br /> indicates a cached skb to be allocated, memcpy&amp;#39;d with some data and<br /> subsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs<br /> deallocation supposedly makes that link irrelevant so we need to free the<br /> cached skb in those cases.<br /> <br /> Fix the leak by introducing a function to explicitly free remain_skb (if<br /> it is not NULL) when the rx urbs have been deallocated. remain_skb is NULL<br /> when it has not been allocated at all (hif_dev struct is kzalloced) or<br /> when it has been processed in next call to ath9k_hif_usb_rx_stream().<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.