Linux Kernel Linked List Corruption Vulnerability in Wi-Fi MT76 Driver

A vulnerability has been identified in the Linux kernel's Wi-Fi MT76 driver, specifically related to improper management of linked list entries. The issue arises when scheduled wireless client ID (WCID) entries are left on a temporary, on-stack list, leading to potential list corruption. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can cause linked list corruption, which may disrupt the normal operation of the Wi-Fi MT76 driver and potentially lead to undefined behavior in the kernel.

Reproduction

The vulnerability can be reproduced by scheduling WCID entries for off-channel transmission without properly managing their state in the linked list. This can be done by triggering the 'mt76_txq_schedule_pending' function in the MT76 Wi-Fi driver, which handles the transmission queue for WCID entries. The function can be called when there are pending transmissions scheduled for a WCID, particularly off-channel ones. If the function is not correctly managing the linked list entries, it will leave scheduled WCID entries on the temporary on-stack list, causing corruption.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is 49fba87205bec14a0f6bd997635bf3968408161e.