Linux Kernel mac80211 Double Free Vulnerability in Mesh Networking

A double free vulnerability has been identified in the Linux kernel's mac80211 component, specifically related to mesh networking. This issue arises when a device leaves a mesh network and then rejoins, causing a memory corruption through improper handling of mesh information elements. The vulnerability can lead to kernel panics and was first observed in an application called 'Senf', which uses its own network management rather than the standard wpa_supplicant.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a system crash.

Reproduction

The vulnerability can be reproduced by using wpa_supplicant with an encrypted mesh network. After joining the network, the 'iw dev mesh0 mesh leave' command is issued, followed by 'iw dev mesh0 mesh join my-mesh'. This sequence triggers the double free condition, especially after a NETDEV_DOWN/NETDEV_UP cycle, which resets the mesh information element to NULL, avoiding the corruption.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.