Linux Kernel ath11k Out-of-Bounds Write Vulnerability via Improper Channel List Handling

A vulnerability in the Linux kernel's ath11k Wi-Fi driver can lead to an out-of-bounds write error. This issue arises when ath11k receives a new channel list and processes it asynchronously. The driver updates the channel list in cfg80211 and queues a work item to handle the new list. However, ath11k immediately updates the firmware with the new channels before cfg80211 has finished processing, creating a race condition. This flaw can be exploited, as indicated by a Kernel Address Sanitizer (KASAN) error, which shows the potential for memory corruption.

Impact

Exploitation of this vulnerability causes a memory corruption error, specifically a slab-out-of-bounds write, which can lead to undefined behavior such as arbitrary code execution or memory disclosure.

Remediation

The vulnerability has been addressed by modifying the channel update process to ensure that cfg80211 has fully processed the new channel list before the firmware is updated. Users should apply the latest patches available in the Linux kernel to mitigate this vulnerability.