Linux Kernel ath9k Wireless Driver Use-After-Free Vulnerability in USB Disconnect Handler

A use-after-free vulnerability has been identified in the Linux kernel's ath9k wireless driver, specifically within the USB disconnect handler. This issue arises when the function ath9k_destroy_wmi() attempts to access a pointer that has already been freed by ieee80211_free_hw(), which is called during the ath9k_htc_hw_deinit() process. The vulnerability was discovered using a modified version of syzkaller.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where the driver accesses memory that has already been freed, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by disconnecting a USB device that is using the ath9k wireless driver. This can be done by unplugging the device or by using a command to simulate the disconnection. The USB hub event will trigger the ath9k_hif_usb_disconnect() function, which will then attempt to access the freed memory, causing the use-after-free vulnerability to manifest.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The patch is available in the Linux kernel stable tree.