Linux Kernel ath12k Wireless Driver Out-of-Bounds Access Vulnerability

A vulnerability in the Linux kernel's ath12k wireless driver can lead to out-of-bounds access in the RX traffic identifier (TID) array. This issue arises because the TID is not properly decremented before cleaning up a peer connection during error handling. When the RX peer fragment setup fails, the lack of a decrement operation can cause invalid memory access, potentially leading to undefined behavior or memory corruption.

Impact

The vulnerability could be exploited to cause out-of-bounds memory access, which can lead to memory corruption or undefined behavior in the kernel.

Reproduction

The vulnerability can be reproduced by triggering an error during the RX peer fragment setup process in the ath12k wireless driver. This can be done by simulating a failure in the fragment defragmentation context setup, which will initiate the error handling path where the TID is not decremented before the peer cleanup. The out-of-bounds access can then be observed in the peer's RX TID array.

Remediation

The vulnerability has been addressed in upstream Linux kernel commits. Users can apply the latest patches available in the Linux kernel stable tree to mitigate this issue.