Linux Kernel ath12k Wi-Fi Driver TID Management Vulnerability

A vulnerability in the Linux kernel's Wi-Fi ath12k driver has been addressed. The issue involved improper management of Transmission Identifier (TID) values during the setup process. When an error occurred, the TID was incremented without being properly allocated, leading to potential crashes or out-of-bounds access by freeing unallocated TIDs. The vulnerability affected several versions of the Linux kernel.

Impact

The vulnerability could lead to system crashes or memory access violations, causing out-of-bounds errors.

Reproduction

The vulnerability can be reproduced by triggering an error during the TID setup process in the ath12k Wi-Fi driver. This can be done by simulating a failure in the 'ath12k_dp_rx_peer_tid_setup()' function, which will cause the TID value to increment without proper allocation. The subsequent cleanup process will then attempt to free the unallocated TID, leading to a crash or out-of-bounds access.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.