Home

CVE-2024-56541

Description

In the Linux kernel, the following vulnerability has been resolved:wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()During ath12k module removal, in ath12k_core_deinit(),ath12k_mac_destroy() un-registers ah->hw from mac80211 and freesthe ah->hw as well as all the ars in it. After thisath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup()tries to access one of the freed ars from pending skb.This is because during mac destroy, driver failed to flush fewdata packets, which were accessed later in ath12k_dp_cc_cleanup()and freed, but using ar from the packet led to this use-after-free.BUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]Write of size 4 at addr ffff888150bd3514 by task modprobe/8926CPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted6.11.0-rc2-wt-ath+ #1746Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOSHNKBLi70.86A.0067.2021.0528.1339 05/28/2021Call Trace: dump_stack_lvl+0x7d/0xe0 print_address_description.constprop.0+0x33/0x3a0 print_report+0xb5/0x260 kasan_addr_to_slab+0x24/0x80 kasan_report+0xd8/0x110 ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] kasan_check_range+0xf3/0x1a0 __kasan_check_write+0x14/0x20 ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ath12k_dp_free+0x178/0x420 [ath12k] ath12k_core_stop+0x176/0x200 [ath12k] ath12k_core_deinit+0x13f/0x210 [ath12k] ath12k_pci_remove+0xad/0x1c0 [ath12k] pci_device_remove+0x9b/0x1b0 device_remove+0xbf/0x150 device_release_driver_internal+0x3c3/0x580 __kasan_check_read+0x11/0x20 driver_detach+0xc4/0x190 bus_remove_driver+0x130/0x2a0 driver_unregister+0x68/0x90 pci_unregister_driver+0x24/0x240 find_module_all+0x13e/0x1e0 ath12k_pci_exit+0x10/0x20 [ath12k] __do_sys_delete_module+0x32c/0x580 module_flags+0x2f0/0x2f0 kmem_cache_free+0xf0/0x410 __fput+0x56f/0xab0 __fput+0x56f/0xab0 debug_smp_processor_id+0x17/0x20 __x64_sys_delete_module+0x4f/0x70 x64_sys_call+0x522/0x9f0 do_syscall_64+0x64/0x130 entry_SYSCALL_64_after_hwframe+0x4b/0x53RIP: 0033:0x7f8182c6ac8bCommit 24de1b7b231c (wifi: ath12k: fix flush failure in recoveryscenarios) added the change to decrement the pending packets countin case of recovery which make sense as ah->hw as well allars in it are intact during recovery, but during core deinit thereis no use in decrementing packets count or waking up the empty waitqas the module is going to be removed also ars from pending skbscant be used and the packets should just be released back.To fix this, avoid accessing ar from skb->cb when driver is beingunregistered.Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

Risk Information

Base Score
7.8
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.071

Associated Vulnerability

VulnerabilityOS Platform
Linux kernel (USN-7276-1) linux-image-6.11.0-1010-lowlatency_6.11.0-1010.11_amd64.debLinux
Linux kernel (USN-7276-1) linux-image-6.11.0-18-generic_6.11.0-18.18_amd64.debLinux
Linux kernel (USN-7276-1) linux-image-generic_6.11.0-18.18_amd64.debLinux
Linux kernel (USN-7276-1) linux-image-generic-hwe-24.04_6.11.0-18.18_amd64.debLinux
Linux kernel (USN-7276-1) linux-image-lowlatency_6.11.0-1010.11_amd64.debLinux
Linux kernel (USN-7276-1) linux-image-oem-24.04_6.11.0-18.18_amd64.debLinux
Linux kernel (USN-7276-1) linux-image-oem-24.04a_6.11.0-18.18_amd64.debLinux
Linux kernel (USN-7276-1) linux-image-virtual_6.11.0-18.18_amd64.debLinux
Linux kernel (USN-7276-1) linux-image-virtual-hwe-24.04_6.11.0-18.18_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-6.11.0-1005-realtime_6.11.0-1005.5_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-6.11.0-1009-aws_6.11.0-1009.10_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-6.11.0-1009-azure_6.11.0-1009.9_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-6.11.0-1009-azure-fde_6.11.0-1009.9_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-6.11.0-1009-gcp_6.11.0-1009.9_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-6.11.0-1011-oracle_6.11.0-1011.12_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-aws_6.11.0-1009.10_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-azure_6.11.0-1009.9_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-azure-fde_6.11.0-1009.9_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-gcp_6.11.0-1009.9_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-oracle_6.11.0-1011.12_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-realtime_6.11.0-1005.5_amd64.debLinux
Linux kernel for Amazon Web Services (AWS) systems (USN-7277-1) linux-image-realtime-hwe-24.04_6.11.0-1005.5_amd64.debLinux
Linux kernel for OEM systems (USN-7310-1) linux-image-6.11.0-1015-oem_6.11.0-1015.15_amd64.debLinux
Linux kernel for OEM systems (USN-7310-1) linux-image-oem-24.04b_6.11.0-1015.15_amd64.debLinux
SUSE-SU-2025:02254-1(Public Cloud Module 15 SP7) kernel-source-azure-6.4.0-150700.20.6.1.noarch.rpmLinux
SUSE-SU-2025:02254-1(Public Cloud Module 15 SP7) kernel-syms-azure-6.4.0-150700.20.6.1.x86_64.rpmLinux
SUSE-SU-2025:02254-1(Public Cloud Module 15 SP7) kernel-azure-6.4.0-150700.20.6.1.x86_64.rpmLinux
SUSE-SU-2025:02254-1(Public Cloud Module 15 SP7) kernel-azure-debuginfo-6.4.0-150700.20.6.1.x86_64.rpmLinux
SUSE-SU-2025:02254-1(Public Cloud Module 15 SP7) kernel-azure-debugsource-6.4.0-150700.20.6.1.x86_64.rpmLinux
SUSE-SU-2025:02254-1(Public Cloud Module 15 SP7) kernel-azure-devel-6.4.0-150700.20.6.1.x86_64.rpmLinux
SUSE-SU-2025:02254-1(Public Cloud Module 15 SP7) kernel-azure-devel-debuginfo-6.4.0-150700.20.6.1.x86_64.rpmLinux
SUSE-SU-2025:02254-1(Public Cloud Module 15 SP7) kernel-devel-azure-6.4.0-150700.20.6.1.noarch.rpmLinux
SUSE-SU-2025:02307-1(Basesystem Module 15 SP7) kernel-default-6.4.0-150700.53.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Legacy Module 15 SP7) reiserfs-kmp-default-6.4.0-150700.53.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Legacy Module 15 SP7) reiserfs-kmp-default-debuginfo-6.4.0-150700.53.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Development Tools Module 15 SP7) kernel-syms-6.4.0-150700.53.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Legacy Module 15 SP7) kernel-default-debugsource-6.4.0-150700.53.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Basesystem Module 15 SP7) kernel-default-base-6.4.0-150700.53.6.1.150700.17.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Development Tools Module 15 SP7) kernel-source-6.4.0-150700.53.6.1.noarch.rpmLinux
SUSE-SU-2025:02307-1(Basesystem Module 15 SP7) kernel-default-devel-debuginfo-6.4.0-150700.53.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Basesystem Module 15 SP7) kernel-default-devel-6.4.0-150700.53.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Development Tools Module 15 SP7) kernel-obs-build-debugsource-6.4.0-150700.53.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Development Tools Module 15 SP7) kernel-docs-6.4.0-150700.53.6.1.noarch.rpmLinux
SUSE-SU-2025:02307-1(Basesystem Module 15 SP7) kernel-default-debuginfo-6.4.0-150700.53.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Development Tools Module 15 SP7) kernel-obs-build-6.4.0-150700.53.6.1.x86_64.rpmLinux
SUSE-SU-2025:02307-1(Basesystem Module 15 SP7) kernel-devel-6.4.0-150700.53.6.1.noarch.rpmLinux
SUSE-SU-2025:02307-1(Basesystem Module 15 SP7) kernel-macros-6.4.0-150700.53.6.1.noarch.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234