CVE-2021-47479 staging: rtl8712: fix use-after-free in rtl8712_dl_fw

2024-05-2208:19:32

Linux

github.com

linux kernel

vulnerability resolved

race condition

use-after-free

rtl8712_dl_fw

driver access

firmware

unregister_netdev

cleanup resources.

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

In the Linux kernel, the following vulnerability has been resolved:

staging: rtl8712: fix use-after-free in rtl8712_dl_fw

Syzbot reported use-after-free in rtl8712_dl_fw(). The problem was in
race condition between r871xu_dev_remove() ->ndo_open() callback.

It’s easy to see from crash log, that driver accesses released firmware
in ->ndo_open() callback. It may happen, since driver was releasing
firmware before unregistering netdev. Fix it by moving
unregister_netdev() before cleaning up resources.

Call Trace:
…
rtl871x_open_fw drivers/staging/rtl8712/hal_init.c:83 [inline]
rtl8712_dl_fw+0xd95/0xe10 drivers/staging/rtl8712/hal_init.c:170
rtl8712_hal_init drivers/staging/rtl8712/hal_init.c:330 [inline]
rtl871x_hal_init+0xae/0x180 drivers/staging/rtl8712/hal_init.c:394
netdev_open+0xe6/0x6c0 drivers/staging/rtl8712/os_intfs.c:380
__dev_open+0x2bc/0x4d0 net/core/dev.c:1484

Freed by task 1306:
…
release_firmware+0x1b/0x30 drivers/base/firmware_loader/main.c:1053
r871xu_dev_remove+0xcc/0x2c0 drivers/staging/rtl8712/usb_intf.c:599
usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/staging/rtl8712/usb_intf.c"
    ],
    "versions": [
      {
        "version": "8c213fa59199",
        "lessThan": "c430094541a8",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "8c213fa59199",
        "lessThan": "befd23bd3b17",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "8c213fa59199",
        "lessThan": "a65c9afe9f2f",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "8c213fa59199",
        "lessThan": "c052cc1a069c",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/staging/rtl8712/usb_intf.c"
    ],
    "versions": [
      {
        "version": "3.3",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "3.3",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.79",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.14.18",
        "lessThanOrEqual": "5.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.2",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.16",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]