| Message ID | 20240419174258.30309-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-26694 | expand |
It looks like Mantic received this patch from the upstream stable patchset dated 2024-04-16: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061814 Jacob On 4/19/24 12:42 PM, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > wifi: iwlwifi: fix double-free bug > > The storage for the TLV PC register data wasn't done like all > the other storage in the drv->fw area, which is cleared at the > end of deallocation. Therefore, the freeing must also be done > differently, explicitly NULL'ing it out after the free, since > otherwise there's a nasty double-free bug here if a file fails > to load after this has been parsed, and we get another free > later (e.g. because no other file exists.) Fix that by adding > the missing NULL assignment. > > [Fix] > > Mantic: Clean cherry-pick from linux-6.7.y > Jammy: not-affected > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use iwlwifi (intel wireless wifi), an > issue with this fix would be visable to the user via unpredicted > system behavior or a system crash. > > Johannes Berg (1): > wifi: iwlwifi: fix double-free bug > > drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 + > 1 file changed, 1 insertion(+) >
On 19/04/2024 19:42, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > wifi: iwlwifi: fix double-free bug > > The storage for the TLV PC register data wasn't done like all > the other storage in the drv->fw area, which is cleared at the > end of deallocation. Therefore, the freeing must also be done > differently, explicitly NULL'ing it out after the free, since > otherwise there's a nasty double-free bug here if a file fails > to load after this has been parsed, and we get another free > later (e.g. because no other file exists.) Fix that by adding > the missing NULL assignment. > > [Fix] > > Mantic: Clean cherry-pick from linux-6.7.y > Jammy: not-affected > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use iwlwifi (intel wireless wifi), an > issue with this fix would be visable to the user via unpredicted > system behavior or a system crash. > > Johannes Berg (1): > wifi: iwlwifi: fix double-free bug > > drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 + > 1 file changed, 1 insertion(+) > I added the CVE no to the commit that was cherry-picked from stable.