CVE-2022-50880

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath10k: add peer map clean up for peer delete in ath10kstastate()

When peer delete failed in a disconnect operation, use-after-free detected by KFENCE in below log. It is because for each vdevid and address, it has only one struct ath10kpeer, it is allocated in ath10kpeermapevent(). When connected to an AP, it has more than one HTTT2HMSGTYPEPEERMAP reported from firmware, then the array peermap of struct ath10k will be set muti-elements to the same ath10kpeer in ath10kpeermapevent(). When peer delete failed in ath10kstastate(), the ath10kpeer will be free for the 1st peer id in array peermap of struct ath10k, and then use-after-free happened for the 2nd peer id because they map to the same ath10kpeer.

And clean up all peers in array peermap for the ath10kpeer, then user-after-free disappeared

peer map event log: [ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e [ 306.957187] ath10kpci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 [ 306.957395] ath10kpci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 306.957404] ath10kpci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 306.986924] ath10kpci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166

peer unmap event log: [ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTHLEAVING) [ 435.716802] ath10kpci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) [ 435.717177] ath10kpci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 435.717186] ath10kpci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166

use-after-free log: [21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTHLEAVING) [21713.799910] ath10kpci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 [21713.799925] ath10kpci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed [21713.799968] ================================================================== [21713.799991] BUG: KFENCE: use-after-free read in ath10kstastate+0x265/0xb8a [ath10kcore] [21713.799991] [21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): [21713.800010] ath10kstastate+0x265/0xb8a [ath10kcore] [21713.800041] drvsta_state+0x115/0x677 [mac80211] [21713.800059] __stainfodestroy_part2+0xb1/0x133 [mac80211] [21713.800076] __stainfoflush+0x11d/0x162 [mac80211] [21713.800093] ieee80211setdisassoc+0x12d/0x2f4 [mac80211] [21713.800110] ieee80211mgddeauth+0x26c/0x29b [mac80211] [21713.800137] cfg80211mlmedeauth+0x13f/0x1bb [cfg80211] [21713.800153] nl80211deauthenticate+0xf8/0x121 [cfg80211] [21713.800161] genlrcvmsg+0x38e/0x3be [21713.800166] netlinkrcvskb+0x89/0xf7 [21713.800171] genlrcv+0x28/0x36 [21713.800176] netlinkunicast+0x179/0x24b [21713.800181] netlinksendmsg+0x3a0/0x40e [21713.800187] sock_sendmsg+0x72/0x76 [21713.800192] ____sys_sendmsg+0x16d/0x1e3 [21713.800196] ___sys_sendmsg+0x95/0xd1 [21713.800200] _syssendmsg+0x85/0xbf [21713.800205] dosyscall64+0x43/0x55 [21713.800210] entrySYSCALL64afterhwframe+0x44/0xa9 [21713.800213] [21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k [21713.800219] [21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: [21713.800241] ath10kpeermapevent+0x7e/0x154 [ath10kcore] [21713.800254] ath10khttt2hmsghandler+0x586/0x1039 [ath10kcore] [21713.800265] ath10khtthtct2hmsghandler+0x12/0x28 [ath10kcore] [21713.800277] ath10khtcrxcompletionhandler+0x14c/0x1b5 [ath10kcore] [21713.800283] ath10kpciprocessrxcb+0x195/0x1d ---truncated---