Linux Kernel ath9k Wireless Driver Use-After-Free Vulnerability in USB High-Speed Interface

A use-after-free vulnerability has been identified in the Linux kernel's ath9k wireless driver, specifically within the USB high-speed interface handling. The issue arises in the 'ath9k_hif_usb_reg_in_cb' callback function, where a socket buffer (skb) can be freed prematurely. If the 'ath9k_htc_rx_msg' function frees the skb and subsequently 'usb_submit_urb' fails, the skb is attempted to be freed again, leading to a use-after-free condition. Additionally, if 'alloc_skb' fails, the 'urb->context' is set to NULL without freeing the 'rx_buf', causing a memory leak. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by using a Linux kernel version that includes the affected ath9k driver. When the driver processes USB regulatory input, the 'ath9k_hif_usb_reg_in_cb' callback is invoked. If the 'ath9k_htc_rx_msg' function frees the socket buffer and 'usb_submit_urb' fails, the callback will attempt to free the already-freed buffer again, creating a use-after-free situation. This can also be triggered by causing 'alloc_skb' to fail, which would leave the 'rx_buf' unfreed and create a memory leak.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. The official Linux kernel Git repository contains the patched version.