Linux Kernel ath11k Uninitialized Peer Fragment Handling Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Linux kernel's ath11k wireless driver. The issue arises when the maximum number of virtual access point interfaces is active across all bands, and hostapd is restarted every 60 seconds. Under these conditions, a fragmented packet can be mistakenly sent to an uninitialized peer, leading to a crash. This occurs because the fragment handling process encounters a null pointer, causing an exception. The vulnerability has been addressed by adding a check to ensure that the peer's data path setup is complete before processing fragments, thereby preventing the crash.

Impact

Exploitation of this vulnerability can lead to random crashes of the wireless driver, causing a denial-of-service condition by disrupting network connectivity.

Reproduction

To reproduce this vulnerability, configure the maximum number of virtual access point interfaces on a device using the IPQ8074 hardware platform. Ensure that hostapd is set to restart every 60 seconds. During this process, fragmented packets may be sent to uninitialized peers, causing the driver to crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.