[PATCH] mwl8k: Fix UAF in mwl8k_fw_state_machine()

[PATCH] mwl8k: Fix UAF in mwl8k_fw_state_machine()

[Zheyu Ma]

When the driver fails to request the firmware, it calls its error
handler. In the error handler, the driver detaches device from driver
first before releasing the firmware, which can cause a UAF bug.

Fix this by releasing firmware first.

The following log reveals it:

[    9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0
[    9.010143 ] Workqueue: events request_firmware_work_func
[    9.010830 ] Call Trace:
[    9.010830 ]  dump_stack_lvl+0xa8/0xd1
[    9.010830 ]  print_address_description+0x87/0x3b0
[    9.010830 ]  kasan_report+0x172/0x1c0
[    9.010830 ]  ? mutex_unlock+0xd/0x10
[    9.010830 ]  ? mwl8k_fw_state_machine+0x320/0xba0
[    9.010830 ]  ? mwl8k_fw_state_machine+0x320/0xba0
[    9.010830 ]  __asan_report_load8_noabort+0x14/0x20
[    9.010830 ]  mwl8k_fw_state_machine+0x320/0xba0
[    9.010830 ]  ? mwl8k_load_firmware+0x5f0/0x5f0
[    9.010830 ]  request_firmware_work_func+0x172/0x250
[    9.010830 ]  ? read_lock_is_recursive+0x20/0x20
[    9.010830 ]  ? process_one_work+0x7a1/0x1100
[    9.010830 ]  ? request_firmware_nowait+0x460/0x460
[    9.010830 ]  ? __this_cpu_preempt_check+0x13/0x20
[    9.010830 ]  process_one_work+0x9bb/0x1100

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
---
 drivers/net/wireless/marvell/mwl8k.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
index 3bf6571f4149..529e325498cd 100644
--- a/drivers/net/wireless/marvell/mwl8k.c
+++ b/drivers/net/wireless/marvell/mwl8k.c
@@ -5800,8 +5800,8 @@ static void mwl8k_fw_state_machine(const struct firmware *fw, void *context)
 fail:
 	priv->fw_state = FW_STATE_ERROR;
 	complete(&priv->firmware_loading_complete);
-	device_release_driver(&priv->pdev->dev);
 	mwl8k_release_firmware(priv);
+	device_release_driver(&priv->pdev->dev);
 }
 
 #define MAX_RESTART_ATTEMPTS 1
-- 
2.17.6

Re: mwl8k: Fix use-after-free in mwl8k_fw_state_machine()

[Kalle Valo]

Zheyu Ma <zheyuma97@gmail.com> wrote:

> When the driver fails to request the firmware, it calls its error
> handler. In the error handler, the driver detaches device from driver
> first before releasing the firmware, which can cause a use-after-free bug.
> 
> Fix this by releasing firmware first.
> 
> The following log reveals it:
> 
> [    9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0
> [    9.010143 ] Workqueue: events request_firmware_work_func
> [    9.010830 ] Call Trace:
> [    9.010830 ]  dump_stack_lvl+0xa8/0xd1
> [    9.010830 ]  print_address_description+0x87/0x3b0
> [    9.010830 ]  kasan_report+0x172/0x1c0
> [    9.010830 ]  ? mutex_unlock+0xd/0x10
> [    9.010830 ]  ? mwl8k_fw_state_machine+0x320/0xba0
> [    9.010830 ]  ? mwl8k_fw_state_machine+0x320/0xba0
> [    9.010830 ]  __asan_report_load8_noabort+0x14/0x20
> [    9.010830 ]  mwl8k_fw_state_machine+0x320/0xba0
> [    9.010830 ]  ? mwl8k_load_firmware+0x5f0/0x5f0
> [    9.010830 ]  request_firmware_work_func+0x172/0x250
> [    9.010830 ]  ? read_lock_is_recursive+0x20/0x20
> [    9.010830 ]  ? process_one_work+0x7a1/0x1100
> [    9.010830 ]  ? request_firmware_nowait+0x460/0x460
> [    9.010830 ]  ? __this_cpu_preempt_check+0x13/0x20
> [    9.010830 ]  process_one_work+0x9bb/0x1100
> 
> Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>

Patch applied to wireless-drivers-next.git, thanks.

257051a235c1 mwl8k: Fix use-after-free in mwl8k_fw_state_machine()

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/1634356979-6211-1-git-send-email-zheyuma97@gmail.com/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches