Linux Kernel MT76 MT7921 USB SDIO Header Handling Vulnerability Causes Kernel Panic

A vulnerability in the Linux kernel's handling of SDIO headers for the MT7921 wireless driver can lead to kernel panics. This issue arises in certain system configurations when the driver assumes there is enough headroom in the socket buffer (skb) for SDIO headers. The assumption is usually met when the skb is allocated for transmission via the MT7921 network device. However, it can fail when the skb comes from the receive path of another network device and is passed to MT7921, such as through the bridge layer. The vulnerability has been observed on Intel Atom-based x86 systems and ARM-based Raspberry Pi 1 systems, but not all configurations are affected.

Impact

The vulnerability can be exploited to cause a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by bridging an MT7921AU-based USB 802.11ax interface with an Ethernet interface on an affected system. If the receiving network device does not provide sufficient headroom in its received socket buffers, the MT7921 driver will panic when it tries to prepend the necessary bytes for the SDIO headers. This issue has been consistently reproducible on Raspberry Pi 1 systems running Raspberry Pi OS Lite 2023-02-21 with kernel 6.1.24+, as well as on Intel Atom-based x86 systems using the onboard RTL8169 PCI Ethernet adapter.

Remediation

Users can upgrade to the patched version of the Linux kernel, which includes the necessary fix. Instructions for downloading the latest stable kernel can be found on the official Linux kernel website.