Linux Kernel ath11k REO Destination Ring SKB Corruption Vulnerability

A vulnerability in the Linux kernel's ath11k wireless driver has been addressed, which involved corruption of socket buffer (SKB) data in the Receive Engine Offload (REO) destination ring. This issue arose after prolonged traffic, when an invalid receive descriptor filled with zeros was received. The flaw caused the wrong SKB to be fetched, leading to memory corruption and eventual system crashes. The vulnerability has been fixed by changing the starting ID for SKB allocation, reserving the zero ID for error validation, and adding a sanity check to validate descriptors before processing SKBs.

Impact

The vulnerability could lead to memory corruption of SKB data, causing system crashes after a period of time.

Reproduction

The vulnerability can be reproduced by running traffic for an extended duration on a system with the affected ath11k driver. This will randomly trigger the reception of an invalid RX descriptor from the REO destination ring, which will then cause SKB memory corruption and a subsequent crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.