Linux Kernel WiFi RTW89 Driver Use-After-Free Vulnerability in TX Wait Handling

A use-after-free vulnerability has been identified in the Linux kernel's WiFi RTW89 driver, specifically within the function 'rtw89_core_tx_kick_off_and_wait()'. This vulnerability arises when the function attempts to access 'skb_data' that has already been freed, leading to a write operation on invalid memory. The issue is a result of a race condition between the completion signaling and waiting processes, where the freeing of 'skb_data' can occur before the waiting process has fully completed, potentially causing memory corruption or other unintended behavior.

Impact

Exploitation of this vulnerability can lead to memory corruption, allowing for potential arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by initiating a WiFi scan using the RTW89 driver while simultaneously sending a null function packet. This creates a race condition where the 'rtw89_core_tx_kick_off_and_wait()' function tries to access 'skb_data' that has been freed by the 'rtw89_pci_tx_status()' callback, which is called when the transmission of the packet is completed. The 'RTW89_TX_WAIT_WORK_TIMEOUT' constant, set to 500 milliseconds, can be adjusted to manipulate the timing of the race condition, making it easier to reproduce the vulnerability.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux Kernel documentation.