From e230a4455ac3e9b112f0367d1b8e255e141afae0 Mon Sep 17 00:00:00 2001

From: Dan Carpenter <dan.carpenter@oracle.com>

Date: Tue, 30 Aug 2022 17:55:07 +0300

Subject: [PATCH] staging: rtl8712: fix use after free bugs

Git-commit: e230a4455ac3e9b112f0367d1b8e255e141afae0

Patch-mainline: v6.0-rc4

References: CVE-2022-4095 bsc#1205514

_Read/Write_MACREG callbacks are NULL so the read/write_macreg_hdl()

functions don't do anything except free the "pcmd" pointer.  It

results in a use after free.  Delete them.

Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")

Cc: stable <stable@kernel.org>

Reported-by: Zheng Wang <hackerzheng666@gmail.com>

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Link: https://lore.kernel.org/r/Yw4ASqkYcUhUfoY2@kili

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/staging/rtl8712/rtl8712_cmd.c | 36 ---------------------------

 1 file changed, 36 deletions(-)

diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c

index 2326aae6709e..bb7db96ed821 100644

--- a/drivers/staging/rtl8712/rtl8712_cmd.c

+++ b/drivers/staging/rtl8712/rtl8712_cmd.c

@@ -117,34 +117,6 @@ static void r871x_internal_cmd_hdl(struct _adapter *padapter, u8 *pbuf)

 	kfree(pdrvcmd->pbuf);

 }

-static u8 read_macreg_hdl(struct _adapter *padapter, u8 *pbuf)

-{

-	void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj	*pcmd);

-	struct cmd_obj *pcmd  = (struct cmd_obj *)pbuf;

-

-	/*  invoke cmd->callback function */

-	pcmd_callback = cmd_callback[pcmd->cmdcode].callback;

-	if (!pcmd_callback)

-		r8712_free_cmd_obj(pcmd);

-	else

-		pcmd_callback(padapter, pcmd);

-	return H2C_SUCCESS;

-}

-

-static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf)

-{

-	void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj	*pcmd);

-	struct cmd_obj *pcmd  = (struct cmd_obj *)pbuf;

-

-	/*  invoke cmd->callback function */

-	pcmd_callback = cmd_callback[pcmd->cmdcode].callback;

-	if (!pcmd_callback)

-		r8712_free_cmd_obj(pcmd);

-	else

-		pcmd_callback(padapter, pcmd);

-	return H2C_SUCCESS;

-}

-

 static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)

 {

 	struct cmd_obj *pcmd  = (struct cmd_obj *)pbuf;

@@ -213,14 +185,6 @@ static struct cmd_obj *cmd_hdl_filter(struct _adapter *padapter,

 	pcmd_r = NULL;

 	switch (pcmd->cmdcode) {

-	case GEN_CMD_CODE(_Read_MACREG):

-		read_macreg_hdl(padapter, (u8 *)pcmd);

-		pcmd_r = pcmd;

-		break;

-	case GEN_CMD_CODE(_Write_MACREG):

-		write_macreg_hdl(padapter, (u8 *)pcmd);

-		pcmd_r = pcmd;

-		break;

 	case GEN_CMD_CODE(_Read_BBREG):

 		read_bbreg_hdl(padapter, (u8 *)pcmd);

 		break;

-- 

2.35.3