CVE-2022-50716

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out<br /> <br /> syzkaller reported use-after-free with the stack trace like below [1]:<br /> <br /> [ 38.960489][ C3] ==================================================================<br /> [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240<br /> [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0<br /> [ 38.966363][ C3]<br /> [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18<br /> [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014<br /> [ 38.969959][ C3] Call Trace:<br /> [ 38.970841][ C3] <br /> [ 38.971663][ C3] dump_stack_lvl+0xfc/0x174<br /> [ 38.972620][ C3] print_report.cold+0x2c3/0x752<br /> [ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240<br /> [ 38.974644][ C3] kasan_report+0xb1/0x1d0<br /> [ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240<br /> [ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240<br /> [ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0<br /> [ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430<br /> [ 38.981266][ C3] dummy_timer+0x140c/0x34e0<br /> [ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0<br /> [ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60<br /> [ 38.986242][ C3] ? lock_release+0x51c/0x790<br /> [ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70<br /> [ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130<br /> [ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0<br /> [ 38.990777][ C3] ? lock_acquire+0x472/0x550<br /> [ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60<br /> [ 38.993138][ C3] ? lock_acquire+0x472/0x550<br /> [ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860<br /> [ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230<br /> [ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860<br /> [ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0<br /> [ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0<br /> [ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0<br /> [ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0<br /> [ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0<br /> [ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860<br /> [ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0<br /> [ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10<br /> [ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40<br /> [ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0<br /> [ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0<br /> [ 39.016196][ C3] __do_softirq+0x1d2/0x9be<br /> [ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190<br /> [ 39.019004][ C3] irq_exit_rcu+0x5/0x20<br /> [ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0<br /> [ 39.021965][ C3] <br /> [ 39.023237][ C3] <br /> <br /> In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below<br /> (there are other functions which finally call ar5523_cmd()):<br /> <br /> ar5523_probe()<br /> -&gt; ar5523_host_available()<br /> -&gt; ar5523_cmd_read()<br /> -&gt; ar5523_cmd()<br /> <br /> If ar5523_cmd() timed out, then ar5523_host_available() failed and<br /> ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb()<br /> might touch the freed structure.<br /> <br /> This patch fixes this issue by canceling in-flight tx cmd if submitted<br /> urb timed out.