Linux Kernel ath10k Wireless Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's ath10k wireless driver. This issue arises when the driver fails to properly manage peer deletion during disconnection operations, leading to memory being accessed after it has been freed. The vulnerability is triggered by the firmware reporting multiple peer mappings for the same peer structure, which can occur when connected to a wireless access point. The problem was detected by KFENCE, a kernel memory error detection tool, and is related to the handling of peer states in the driver's management of wireless connections.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where the driver accesses memory that has already been freed. This can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by connecting to a Wi-Fi access point with a device that uses the ath10k wireless driver. During the connection, the firmware may report multiple peer mappings for the same peer. If a disconnection occurs and the driver fails to properly delete the peer, the vulnerability is triggered. This can be observed in the driver's state management logs, where a peer is reported as deleted but still appears in the peer mapping, indicating that the deletion was not properly handled.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux documentation.