CVE-2024-35811: Mitigating the Use-After-Free Bug in Linux Kernel's brcmfmac Driver

Published on: 09-12-2024 By Soc Team

The Linux kernel is a critical component of countless systems and devices, forming the backbone of many networked environments. Recently, a significant vulnerability identified as CVE-2024-35811 has been addressed in the Linux kernel. This vulnerability, pertaining to the brcmfmac driver, could result in a potentially dangerous use-after-free bug.

Understanding CVE-2024-35811

This vulnerability impacts the brcmfmac driver in the Linux kernel. It arises due to improper handling of a timeout worker during the USB hotplug disconnect process. Here’s a brief overview:

  • Initialization Chain: The vulnerability starts with the initialization chain through several function invocations, ultimately initializing a timeout worker.
  • brcmf_usb_probe
    brcmf_usb_probe_cb
    brcmf_attach
    brcmf_bus_started
    brcmf_cfg80211_attach
    wl_init_priv
    brcmf_init_escan
    INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker)

If the USB disconnect occurs via hotplug, the cleanup function chain calls:

  • brcmf_usb_disconnect
    brcmf_usb_disconnect_cb
    brcmf_detach
    brcmf_cfg80211_detach
    kfree(cfg);

The issue here is that the timeout worker might still be running during the cleanup phase, causing a use-after-free bug on cfg in the brcmf_cfg80211_escan_timeout_worker function.

Mitigating the Vulnerability

The primary mitigation strategy is to ensure that the timeout worker and timer are properly handled during the cleanup process. The fix involves cancelling the worker and deleting the timer before freeing the data structure:

  • Cancel the Worker: Ensuring that the worker is cancelled ensures that no function calls are made to already freed memory.
  • Delete the Timer: Removing the timer before the cleanup process prevents any unintended calls to the worker function.

This fix is included in the kernels after the commit e756af5b30b0 and below several identified vulnerable versions including 202c50393504, 8e3f03f4ef7c, and others listed in the official CVE report.

Updating and Patching

To mitigate CVE-2024-35811, follow these steps:

  • Verify Kernel Version: Check if your system is running an affected version. Use the command: uname -r
  • Update Kernel: Ensure your system is updated to a version containing the patch. Perform system updates and kernel upgrades through your distribution’s package manager. Example for Debian-based systems:
    sudo apt-get update && sudo apt-get upgrade
  • Verify Patch Application: Confirm that the kernel includes the appropriate patch by checking the kernel change logs or consulting the distribution's documentation.

For more detailed information, you can reference the official kernel commit logs:

By staying vigilant and applying security patches diligently, you can protect your systems from potential exploits targeting this vulnerability.