Linux Kernel Shift Wrapping Vulnerability in rtw89 Wireless Driver

A vulnerability in the Linux kernel's rtw89 wireless driver can lead to shift wrapping issues, potentially causing out-of-bounds access. This vulnerability arises in the 'rtw89_core_mlsr_switch' function, where the 'link_id' value, sourced from the user via debugfs, can exceed the limits of BITS_PER_LONG. Such an overflow could disrupt memory access, although the vulnerability is mitigated by the fact that only root users can write to debugfs files.

Impact

Exploitation of this vulnerability could lead to memory access errors, with the potential for out-of-bounds writes or reads, which could be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by writing a 'link_id' value greater than BITS_PER_LONG to a debugfs file, which will cause a shift wrapping effect. This can be done by a root user, as only root has the permission to write to debugfs files.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed.