CVE-2024-26897

wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete

Severity Score

4.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete

The ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data
structures have been fully initialised by the time it runs. However, because of
the order in which things are initialised, this is not guaranteed to be the
case, because the device is exposed to the USB subsystem before the ath9k driver
initialisation is completed.

We already committed a partial fix for this in commit:
8b3046abc99e ("ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()")

However, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event
tasklet, pairing it with an "initialisation complete" bit in the TX struct. It
seems syzbot managed to trigger the race for one of the other commands as well,
so let's just move the existing synchronisation bit to cover the whole
tasklet (setting it at the end of ath9k_htc_probe_device() instead of inside
ath9k_tx_init()).

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath9k: retrasa todo ath9k_wmi_event_tasklet() hasta que se complete el inicio. El ath9k_wmi_event_tasklet() usado en ath9k_htc supone que todas las estructuras de datos se han inicializado por completo en el momento de su ejecución. Sin embargo, debido al orden en que se inicializan las cosas, no se garantiza que este sea el caso, porque el dispositivo queda expuesto al subsistema USB antes de que se complete la inicialización del controlador ath9k. Ya cometimos una solución parcial para esto en la confirmación: 8b3046abc99e ("ath9k_htc: corrige la desreferencia del puntero NULL en ath9k_htc_tx_get_packet()") Sin embargo, esa confirmación solo abortó el comando WMI_TXSTATUS_EVENTID en el tasklet de eventos, emparejándolo con un bit de "inicialización completa" en la estructura TX. Parece que syzbot también logró activar la carrera para uno de los otros comandos, así que simplemente movamos el bit de sincronización existente para cubrir todo el tasklet (configurándolo al final de ath9k_htc_probe_device() en lugar de dentro de ath9k_tx_init()).

A flaw was found in the Linux kernel. This vulnerability affects the ath9k wireless driver in the Linux kernel, specifically used with ath9k_htc devices. The issue arises from a race condition where certain initialization processes are incomplete when the system begins handling WiFi-related events. The problem occurs because the device is exposed to the USB subsystem before the ath9k driver finishes initializing critical data structures.
This can lead to NULL pointer dereferences, which cause system crashes, particularly when running specific commands or handling events during WiFi operations. A partial fix had been applied earlier to prevent one aspect of this issue, but further problems were identified. The final resolution was to delay all event handling in the ath9k_wmi_event_tasklet() function until initialization is fully complete, ensuring stability.

*Credits: N/A

CVSS Scores

Red Hatv3.1 4.1

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-17 CVE Published
2024-04-18 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (14)

URL	Tag	Source
https://git.kernel.org/stable/c/78c8397132dd4735ac6a7b5a651302f0b9f264ad	Vuln. Introduced
https://git.kernel.org/stable/c/735aefae7b68025cd04c482a940c0f6fc6797a63	Vuln. Introduced
https://git.kernel.org/stable/c/8b3046abc99eefe11438090bcc4ec3a3994b55d0	Vuln. Introduced
https://git.kernel.org/stable/c/7bbc1a50a7963f14048f0e54b0b73159f86d4ea3	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905	2024-03-26
https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90	2024-03-26
https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715	2024-03-26
https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298	2024-03-26
https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2	2024-03-26
https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b	2024-03-26
https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11	2024-02-02

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26897	2024-08-14
https://bugzilla.redhat.com/show_bug.cgi?id=2275655	2024-08-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.136 < 5.10.214 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.136 < 5.10.214"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.17 < 5.15.153 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.17 < 5.15.153"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.17 < 6.1.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.17 < 6.1.83"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.17 < 6.6.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.17 < 6.6.23"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.17 < 6.7.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.17 < 6.7.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.17 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.17 < 6.8.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.17 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.17 < 6.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.16.3 Search vendor "Linux" for product "Linux Kernel" and version "5.16.3"		en		Affected