CVE-2022-50881

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()<br /> <br /> This patch fixes a use-after-free in ath9k that occurs in<br /> ath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access<br /> &amp;#39;drv_priv&amp;#39; that has already been freed by ieee80211_free_hw(), called by<br /> ath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before<br /> ieee80211_free_hw(). Note that urbs from the driver should be killed<br /> before freeing &amp;#39;wmi&amp;#39; with ath9k_destroy_wmi() as their callbacks will<br /> access &amp;#39;wmi&amp;#39;.<br /> <br /> Found by a modified version of syzkaller.<br /> <br /> ==================================================================<br /> BUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40<br /> Read of size 8 at addr ffff8881069132a0 by task kworker/0:1/7<br /> <br /> CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014<br /> Workqueue: usb_hub_wq hub_event<br /> Call Trace:<br /> dump_stack_lvl+0x8e/0xd1<br /> print_address_description.constprop.0.cold+0x93/0x334<br /> ? ath9k_destroy_wmi+0x38/0x40<br /> ? ath9k_destroy_wmi+0x38/0x40<br /> kasan_report.cold+0x83/0xdf<br /> ? ath9k_destroy_wmi+0x38/0x40<br /> ath9k_destroy_wmi+0x38/0x40<br /> ath9k_hif_usb_disconnect+0x329/0x3f0<br /> ? ath9k_hif_usb_suspend+0x120/0x120<br /> ? usb_disable_interface+0xfc/0x180<br /> usb_unbind_interface+0x19b/0x7e0<br /> ? usb_autoresume_device+0x50/0x50<br /> device_release_driver_internal+0x44d/0x520<br /> bus_remove_device+0x2e5/0x5a0<br /> device_del+0x5b2/0xe30<br /> ? __device_link_del+0x370/0x370<br /> ? usb_remove_ep_devs+0x43/0x80<br /> ? remove_intf_ep_devs+0x112/0x1a0<br /> usb_disable_device+0x1e3/0x5a0<br /> usb_disconnect+0x267/0x870<br /> hub_event+0x168d/0x3950<br /> ? rcu_read_lock_sched_held+0xa1/0xd0<br /> ? hub_port_debounce+0x2e0/0x2e0<br /> ? check_irq_usage+0x860/0xf20<br /> ? drain_workqueue+0x281/0x360<br /> ? lock_release+0x640/0x640<br /> ? rcu_read_lock_sched_held+0xa1/0xd0<br /> ? rcu_read_lock_bh_held+0xb0/0xb0<br /> ? lockdep_hardirqs_on_prepare+0x273/0x3e0<br /> process_one_work+0x92b/0x1460<br /> ? pwq_dec_nr_in_flight+0x330/0x330<br /> ? rwlock_bug.part.0+0x90/0x90<br /> worker_thread+0x95/0xe00<br /> ? __kthread_parkme+0x115/0x1e0<br /> ? process_one_work+0x1460/0x1460<br /> kthread+0x3a1/0x480<br /> ? set_kthread_struct+0x120/0x120<br /> ret_from_fork+0x1f/0x30<br /> <br /> The buggy address belongs to the page:<br /> page:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913<br /> flags: 0x200000000000000(node=0|zone=2)<br /> raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000<br /> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> page_owner tracks the page as freed<br /> page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635<br /> prep_new_page+0x1aa/0x240<br /> get_page_from_freelist+0x159a/0x27c0<br /> __alloc_pages+0x2da/0x6a0<br /> alloc_pages+0xec/0x1e0<br /> kmalloc_order+0x39/0xf0<br /> kmalloc_order_trace+0x19/0x120<br /> __kmalloc+0x308/0x390<br /> wiphy_new_nm+0x6f5/0x1dd0<br /> ieee80211_alloc_hw_nm+0x36d/0x2230<br /> ath9k_htc_probe_device+0x9d/0x1e10<br /> ath9k_htc_hw_init+0x34/0x50<br /> ath9k_hif_usb_firmware_cb+0x25f/0x4e0<br /> request_firmware_work_func+0x131/0x240<br /> process_one_work+0x92b/0x1460<br /> worker_thread+0x95/0xe00<br /> kthread+0x3a1/0x480<br /> page last free stack trace:<br /> free_pcp_prepare+0x3d3/0x7f0<br /> free_unref_page+0x1e/0x3d0<br /> device_release+0xa4/0x240<br /> kobject_put+0x186/0x4c0<br /> put_device+0x20/0x30<br /> ath9k_htc_disconnect_device+0x1cf/0x2c0<br /> ath9k_htc_hw_deinit+0x26/0x30<br /> ath9k_hif_usb_disconnect+0x2d9/0x3f0<br /> usb_unbind_interface+0x19b/0x7e0<br /> device_release_driver_internal+0x44d/0x520<br /> bus_remove_device+0x2e5/0x5a0<br /> device_del+0x5b2/0xe30<br /> usb_disable_device+0x1e3/0x5a0<br /> usb_disconnect+0x267/0x870<br /> hub_event+0x168d/0x3950<br /> process_one_work+0x92b/0x1460<br /> <br /> Memory state around the buggy address:<br /> ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> &gt;ffff888<br /> ---truncated---