Linux Kernel iwlwifi Driver Double List Add Vulnerability in Station Queue Management

A vulnerability has been identified in the Linux kernel's iwlwifi driver, specifically within the mac80211 wireless networking subsystem. This issue arises after a station successfully associates but has its queues disabled. In such cases, the related lists fail to clear, leading to a corruption error when new elements are added. The kernel then triggers a bug notification, indicating a list_add corruption issue. This vulnerability affects several versions of the Linux kernel, including 5.19.0-rc3.

Impact

Exploitation of this vulnerability causes a kernel bug due to list_add corruption, where the linked list management is compromised, potentially leading to memory corruption issues.

Reproduction

To reproduce this vulnerability, associate a station with the iwlwifi driver while intentionally disabling its transmission queues. This can be done by modifying the driver's queue management settings. Once the station is associated with the disabled queues, the vulnerability can be triggered by adding new elements to the transmission queue management, which will then collide with the unemptied old elements, causing the list corruption bug to manifest.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.