Linux Kernel ath11k NULL Dereference Vulnerability in QMI M3 Load Function

A NULL pointer dereference vulnerability has been identified in the ath11k wireless driver of the Linux kernel. This issue arises in the ath11k_qmi_m3_load() function, where the firmware (fw) pointer can remain NULL if certain conditions are met. Specifically, if the m3_data field points to data but the m3_mem is not allocated, the NULL fw pointer is dereferenced and passed to the ath11k_err function, leading to a crash. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a system crash.

Reproduction

The vulnerability can be reproduced by loading a firmware file that triggers the NULL dereference condition in the ath11k QMI M3 load process. This can be done by using a version of the Linux kernel that includes the vulnerable ath11k driver and by specifying a firmware file that the driver does not properly handle, such as 'firmware-2.bin'.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The patch is available in the Linux kernel stable tree.