Linux Kernel mac80211 S1G Capability Length Handling Vulnerability

A vulnerability in the Linux kernel's mac80211 Wi-Fi handling has been addressed. The issue arose because the S1G capability element was not properly considered in the scan_ies_len, leading to a buffer length validation failure. This failure occurred in the ieee80211_prep_hw_scan() function, causing a warning in __ieee80211_start_scan() and disrupting the hardware scanning process. The vulnerability has been fixed by ensuring that the S1G capability length is correctly accounted for.

Impact

The vulnerability caused a denial of service by disrupting the normal functioning of hardware scanning in Wi-Fi operations.

Reproduction

The vulnerability could be reproduced by using a Wi-Fi device that supports the S1G capability but is running a version of the Linux kernel that does not properly account for this capability in the scanning process. This would lead to a buffer length validation failure, causing the hardware scan to malfunction.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.