HWE Next

~vicamo/hwe-next/+git/intermediate-kernel:CVE-2022-1679/ath9k-use-after-free/unstable

  1. Git
  2. lp:~vicamo/hwe-next/+git/intermediate-kernel
  3. CVE-2022-1679/ath9k-use-after-free/un...
Last commit made on 2022-07-29
Get this branch:
git clone -b CVE-2022-1679/ath9k-use-after-free/unstable https://git.launchpad.net/~vicamo/hwe-next/+git/intermediate-kernel
Only You-Sheng Yang can upload to this branch. If you are You-Sheng Yang please log in for upload directions.

Branch information

Name:
CVE-2022-1679/ath9k-use-after-free/unstable
Repository:
lp:~vicamo/hwe-next/+git/intermediate-kernel

Recent commits

5c10f98... by Pavel Skripkin <email address hidden>

ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The
problem was in incorrect htc_handle->drv_priv initialization.

Probable call trace which can trigger use-after-free:

ath9k_htc_probe_device()
  /* htc_handle->drv_priv = priv; */
  ath9k_htc_wait_for_target() <--- Failed
  ieee80211_free_hw() <--- priv pointer is freed

<IRQ>
...
ath9k_hif_usb_rx_cb()
  ath9k_hif_usb_rx_stream()
   RX_STAT_INC() <--- htc_handle->drv_priv access

In order to not add fancy protection for drv_priv we can move
htc_handle->drv_priv initialization at the end of the
ath9k_htc_probe_device() and add helper macro to make
all *_STAT_* macros NULL safe, since syzbot has reported related NULL
deref in that macros [1]

Link: https://syzkaller.appspot.com/bug?id=6ead44e37afb6866ac0c7dd121b4ce07cb665f60 [0]
Link: https://syzkaller.appspot.com/bug?id=b8101ffcec107c0567a0cd8acbbacec91e9ee8de [1]
Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Reported-and-tested-by: <email address hidden>
Reported-and-tested-by: <email address hidden>
Signed-off-by: Pavel Skripkin <email address hidden>
Acked-by: Toke Høiland-Jørgensen <email address hidden>
Signed-off-by: Kalle Valo <email address hidden>
Link: https://lore.kernel.org/r/d57bbedc857950659bfacac0ab48790c1eda00c8<email address hidden>
(cherry picked from commit 0ac4827f78c7ffe8eef074bc010e7e34bc22f533 linux-next)
Signed-off-by: You-Sheng Yang (vicamo) <email address hidden>

4dc709b... by Andrea Righi

UBUNTU: Ubuntu-unstable-5.19.0-6.6

Signed-off-by: Andrea Righi <email address hidden>

24df60f... by Andrea Righi

UBUNTU: debian/dkms-versions -- update from kernel-versions (main/master)

BugLink: https://bugs.launchpad.net/bugs/1786013
Signed-off-by: Andrea Righi <email address hidden>

0d067b7... by Andrea Righi

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/1979948
Properties: no-test-build
Signed-off-by: Andrea Righi <email address hidden>

4b41d83... by Andrea Righi

UBUNTU: [Config] update config after rebase to 5.19-rc4

Signed-off-by: Andrea Righi <email address hidden>

1a5faf7... by Andrea Righi

UBUNTU: Rebase to v5.19-rc4

Ignore: yes
Signed-off-by: Andrea Righi <email address hidden>

c8c065d... by Andrea Righi

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Andrea Righi <email address hidden>

a300ea5... by Juerg Haefliger

UBUNTU: [Packaging] final-checks: Remove useless sourcing of kernelconfig

kernelconfig only defines 'archs' but 'archs' is overwritten after the
fact so remove the uselsess sourcing. While at it, remove a stray leading
space in the following line.

Signed-off-by: Juerg Haefliger <email address hidden>
Signed-off-by: Andrea Righi <email address hidden>

61f1414... by Juerg Haefliger

UBUNTU: [Packaging] Remove 'family=ubuntu' concept

With the removal of family=ports, all that's left is family=ubuntu, so hard-
code that and drop the 'family' script and Makefile variables.

No functional changes.

Signed-off-by: Juerg Haefliger <email address hidden>
Signed-off-by: Andrea Righi <email address hidden>

47f0fcc... by Andrea Righi

UBUNTU: Ubuntu-unstable-5.19.0-5.5

Signed-off-by: Andrea Righi <email address hidden>