fkie_cve-2024-56541
Vulnerability from fkie_nvd
Published
2024-12-27 14:15
Modified
2025-02-11 16:15
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup() During ath12k module removal, in ath12k_core_deinit(), ath12k_mac_destroy() un-registers ah->hw from mac80211 and frees the ah->hw as well as all the ar's in it. After this ath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup() tries to access one of the freed ar's from pending skb. This is because during mac destroy, driver failed to flush few data packets, which were accessed later in ath12k_dp_cc_cleanup() and freed, but using ar from the packet led to this use-after-free. BUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] Write of size 4 at addr ffff888150bd3514 by task modprobe/8926 CPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted 6.11.0-rc2-wt-ath+ #1746 Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 Call Trace: <TASK> dump_stack_lvl+0x7d/0xe0 print_address_description.constprop.0+0x33/0x3a0 print_report+0xb5/0x260 ? kasan_addr_to_slab+0x24/0x80 kasan_report+0xd8/0x110 ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] kasan_check_range+0xf3/0x1a0 __kasan_check_write+0x14/0x20 ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ath12k_dp_free+0x178/0x420 [ath12k] ath12k_core_stop+0x176/0x200 [ath12k] ath12k_core_deinit+0x13f/0x210 [ath12k] ath12k_pci_remove+0xad/0x1c0 [ath12k] pci_device_remove+0x9b/0x1b0 device_remove+0xbf/0x150 device_release_driver_internal+0x3c3/0x580 ? __kasan_check_read+0x11/0x20 driver_detach+0xc4/0x190 bus_remove_driver+0x130/0x2a0 driver_unregister+0x68/0x90 pci_unregister_driver+0x24/0x240 ? find_module_all+0x13e/0x1e0 ath12k_pci_exit+0x10/0x20 [ath12k] __do_sys_delete_module+0x32c/0x580 ? module_flags+0x2f0/0x2f0 ? kmem_cache_free+0xf0/0x410 ? __fput+0x56f/0xab0 ? __fput+0x56f/0xab0 ? debug_smp_processor_id+0x17/0x20 __x64_sys_delete_module+0x4f/0x70 x64_sys_call+0x522/0x9f0 do_syscall_64+0x64/0x130 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f8182c6ac8b Commit 24de1b7b231c ("wifi: ath12k: fix flush failure in recovery scenarios") added the change to decrement the pending packets count in case of recovery which make sense as ah->hw as well all ar's in it are intact during recovery, but during core deinit there is no use in decrementing packets count or waking up the empty waitq as the module is going to be removed also ar's from pending skb's can't be used and the packets should just be released back. To fix this, avoid accessing ar from skb->cb when driver is being unregistered. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/35be5018a2a4d1b07bdfcf957c81121d22d16355Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bdb281103373fd80eb5c91cede1e115ba270b4e9Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e5e15c8b42923bfb6c84d3d906a9965d9a0f111dPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "158A6B22-9260-41D7-965A-A81798A5A969",
                     versionEndExcluding: "6.11.11",
                     versionStartIncluding: "6.10",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D8882B1B-2ABC-4838-AC1D-DBDBB5764776",
                     versionEndExcluding: "6.12.2",
                     versionStartIncluding: "6.12",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()\n\nDuring ath12k module removal, in ath12k_core_deinit(),\nath12k_mac_destroy() un-registers ah->hw from mac80211 and frees\nthe ah->hw as well as all the ar's in it. After this\nath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup()\ntries to access one of the freed ar's from pending skb.\n\nThis is because during mac destroy, driver failed to flush few\ndata packets, which were accessed later in ath12k_dp_cc_cleanup()\nand freed, but using ar from the packet led to this use-after-free.\n\nBUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\nWrite of size 4 at addr ffff888150bd3514 by task modprobe/8926\nCPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted\n6.11.0-rc2-wt-ath+ #1746\nHardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS\nHNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n\nCall Trace:\n  <TASK>\n  dump_stack_lvl+0x7d/0xe0\n  print_address_description.constprop.0+0x33/0x3a0\n  print_report+0xb5/0x260\n  ? kasan_addr_to_slab+0x24/0x80\n  kasan_report+0xd8/0x110\n  ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n  ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n  kasan_check_range+0xf3/0x1a0\n  __kasan_check_write+0x14/0x20\n  ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n  ath12k_dp_free+0x178/0x420 [ath12k]\n  ath12k_core_stop+0x176/0x200 [ath12k]\n  ath12k_core_deinit+0x13f/0x210 [ath12k]\n  ath12k_pci_remove+0xad/0x1c0 [ath12k]\n  pci_device_remove+0x9b/0x1b0\n  device_remove+0xbf/0x150\n  device_release_driver_internal+0x3c3/0x580\n  ? __kasan_check_read+0x11/0x20\n  driver_detach+0xc4/0x190\n  bus_remove_driver+0x130/0x2a0\n  driver_unregister+0x68/0x90\n  pci_unregister_driver+0x24/0x240\n  ? find_module_all+0x13e/0x1e0\n  ath12k_pci_exit+0x10/0x20 [ath12k]\n  __do_sys_delete_module+0x32c/0x580\n  ? module_flags+0x2f0/0x2f0\n  ? kmem_cache_free+0xf0/0x410\n  ? __fput+0x56f/0xab0\n  ? __fput+0x56f/0xab0\n  ? debug_smp_processor_id+0x17/0x20\n  __x64_sys_delete_module+0x4f/0x70\n  x64_sys_call+0x522/0x9f0\n  do_syscall_64+0x64/0x130\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f8182c6ac8b\n\nCommit 24de1b7b231c (\"wifi: ath12k: fix flush failure in recovery\nscenarios\") added the change to decrement the pending packets count\nin case of recovery which make sense as ah->hw as well all\nar's in it are intact during recovery, but during core deinit there\nis no use in decrementing packets count or waking up the empty waitq\nas the module is going to be removed also ar's from pending skb's\ncan't be used and the packets should just be released back.\n\nTo fix this, avoid accessing ar from skb->cb when driver is being\nunregistered.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3",
      },
      {
         lang: "es",
         value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath12k: arreglo de use-after-free en ath12k_dp_cc_cleanup() Durante la eliminación del módulo ath12k, en ath12k_core_deinit(), ath12k_mac_destroy() anula el registro de ah-&gt;hw de mac80211 y libera el ah-&gt;hw así como todos los ar en él. Después de esto, ath12k_core_soc_destroy()-&gt; ath12k_dp_free()-&gt; ath12k_dp_cc_cleanup() intenta acceder a uno de los ar liberados del skb pendiente. Esto se debe a que durante la destrucción de mac, el controlador no pudo limpiar algunos paquetes de datos, a los que se accedió más tarde en ath12k_dp_cc_cleanup() y se liberaron, pero el uso de ar del paquete provocó este use-after-free. ERROR: KASAN: use-after-free en ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] Escritura de tamaño 4 en la dirección ffff888150bd3514 por la tarea modprobe/8926 CPU: 0 UID: 0 PID: 8926 Comm: modprobe No contaminado 6.11.0-rc2-wt-ath+ #1746 Nombre del hardware: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 28/05/2021 Seguimiento de llamadas:  dump_stack_lvl+0x7d/0xe0 dirección_de_impresión_descripción.constprop.0+0x33/0x3a0 informe_de_impresión+0xb5/0x260 ? dirección_kasan_a_losa+0x24/0x80 informe_kasan+0xd8/0x110 ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] rango de comprobación de kasan+0xf3/0x1a0 __comprobación de escritura de kasan+0x14/0x20 ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] dp_free+0x178/0x420 [ath12k] núcleo_detención+0x176/0x200 [ath12k] núcleo_deinit+0x13f/0x210 [ath12k] eliminación de pci+0xad/0x1c0 [ath12k] eliminación de dispositivo pci+0x9b/0x1b0 dispositivo_eliminar+0xbf/0x150 dispositivo_liberación_controlador_interno+0x3c3/0x580 ? __kasan_check_read+0x11/0x20 controlador_desconectar+0xc4/0x190 bus_eliminar_controlador+0x130/0x2a0 controlador_anular_registro+0x68/0x90 pci_anular_registro_controlador+0x24/0x240 ? buscar_módulo_todos+0x13e/0x1e0 ath12k_pci_exit+0x10/0x20 [ath12k] __do_sys_eliminar_módulo+0x32c/0x580 ? módulo_indicadores+0x2f0/0x2f0 ? kmem_cache_libre+0xf0/0x410 ? __fput+0x56f/0xab0 ? __fput+0x56f/0xab0 ? debug_smp_processor_id+0x17/0x20 __x64_sys_delete_module+0x4f/0x70 x64_sys_call+0x522/0x9f0 do_syscall_64+0x64/0x130 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f8182c6ac8b Commit 24de1b7b231c (\"wifi: ath12k: corregir falla de vaciado en escenarios de recuperación\") agregó el cambio para disminuir el conteo de paquetes pendientes en caso de recuperación, lo que tiene sentido ya que ah-&gt;hw y todos los ar en él están intactos durante la recuperación, pero durante la desincialización del núcleo no tiene sentido disminuir el conteo de paquetes o despertar el waitq vacío ya que el módulo también se eliminará. Los paquetes de skb pendientes no se pueden usar y los paquetes deberían simplemente liberarse. Para solucionar esto, evite acceder a ar desde skb-&gt;cb cuando se está anulando el registro del controlador. Probado en: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1 Probado en: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3",
      },
   ],
   id: "CVE-2024-56541",
   lastModified: "2025-02-11T16:15:43.277",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 7.8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 7.8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 5.9,
            source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
            type: "Secondary",
         },
      ],
   },
   published: "2024-12-27T14:15:33.767",
   references: [
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/35be5018a2a4d1b07bdfcf957c81121d22d16355",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/bdb281103373fd80eb5c91cede1e115ba270b4e9",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/e5e15c8b42923bfb6c84d3d906a9965d9a0f111d",
      },
   ],
   sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-416",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-416",
            },
         ],
         source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
         type: "Secondary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.