openwrt/package
Antonio Flores 5e769878ad mac80211: CVE-2024-46760: rtw88: schedule rx work after everything is set up
link: https://lore.kernel.org/all/2024091842-CVE-2024-46760-1eb3@gregkh
Description
===========

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw88: usb: schedule rx work after everything is set up

Right now it's possible to hit NULL pointer dereference in
rtw_rx_fill_rx_status on hw object and/or its fields because
initialization routine can start getting USB replies before
rtw_dev is fully setup.

The stack trace looks like this:

rtw_rx_fill_rx_status
rtw8821c_query_rx_desc
rtw_usb_rx_handler
...
queue_work
rtw_usb_read_port_complete
...
usb_submit_urb
rtw_usb_rx_resubmit
rtw_usb_init_rx
rtw_usb_probe

So while we do the async stuff rtw_usb_probe continues and calls
rtw_register_hw, which does all kinds of initialization (e.g.
via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on.

Fix this by moving the first usb_submit_urb after everything
is set up.

For me, this bug manifested as:
[    8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped
[    8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status
because I'm using Larry's backport of rtw88 driver with the NULL
checks in rtw_rx_fill_rx_status.

The Linux kernel CVE team has assigned CVE-2024-46760 to this issue.

Affected and fixed versions
===========================

	Fixed in 6.6.51 with commit c83d464b82a8
	Fixed in 6.10.10 with commit 25eaef533bf3
	Fixed in 6.11 with commit adc539784c98

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46760
will be updated if fixes are backported, please check that for the most
up to date information about this issue.

Affected files
==============

The file(s) affected by this issue are:
	drivers/net/wireless/realtek/rtw88/usb.c

Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c83d464b82a8ad62ec9077637f75d73fe955635a
	https://git.kernel.org/stable/c/25eaef533bf3ccc6fee5067aac16f41f280e343e
	https://git.kernel.org/stable/c/adc539784c98a7cc602cbf557debfc2e7b9be8b3

Signed-off-by: Antonio Flores <antflores627@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16420
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-09-21 13:28:30 +02:00
..
base-files base-files: fix merge of passwd/shadow/group lines with trailing colons 2024-08-29 21:07:15 +02:00
boot mediatek: add Adtran SmartRG SDG-8733A 2024-09-20 22:47:05 +01:00
devel trace-cmd: update to 3.3 2024-08-24 21:26:55 +02:00
firmware ipq-wifi: update to Git HEAD (2024-09-14) 2024-09-14 13:45:32 +02:00
kernel mac80211: CVE-2024-46760: rtw88: schedule rx work after everything is set up 2024-09-21 13:28:30 +02:00
libs openssl: update to 3.0.15 2024-09-06 23:44:56 +02:00
network packages: remove remnants of kernels below 6.6 2024-09-21 13:03:49 +02:00
system rpcd: update to git HEAD 2024-09-17 19:07:53 +01:00
utils ucode: another fix for host installation 2024-09-20 11:47:00 +02:00
Makefile sdk: fix APK key creation 2024-08-09 01:47:05 +02:00