Linux Kernel iwlwifi Double Free Vulnerability in TX Path

A double free vulnerability has been identified in the Linux kernel's iwlwifi wireless driver, specifically within the TX (transmit) path of the firmware for Intel AX210 wireless chips. This vulnerability leads to kernel crashes, lockups, and memory corruption errors. The issue arises when the function 'iwl_mvm_tx_skb_sta' processes TCP segmentation offload (TSO) skb buffers. In error cases, these buffers may be prematurely freed, creating a scenario where the same buffer can be freed again, causing a use-after-free condition. This flaw was exposed by the Kernel Address Sanitizer (KASAN), which detected the improper memory management and subsequent access to freed memory.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where the kernel attempts to access memory that has already been freed. This can lead to memory corruption, potentially allowing for arbitrary code execution or causing a kernel panic.

Reproduction

The vulnerability can be reproduced by sending TCP packets over a wireless connection managed by the affected iwlwifi driver. The packets should be segmented using TCP segmentation offload, which will create a scenario where the skb (socket buffer) can be double-freed. This can be done by using a tool that generates TCP traffic, such as iperf, while the wireless driver is active.

Remediation

Users can upgrade to the patched version of the Linux kernel, which is available in the official Linux kernel repositories. Instructions for upgrading the kernel can be found in the documentation for the specific Linux distribution in use.