Linux Kernel MT76 WED Reference Mismanagement Vulnerability in MT7996 Driver

A vulnerability exists in the Linux kernel's MT76 Wi-Fi driver, specifically in the MT7996 component, due to improper handling of WED (Wireless Enhanced Data) references. The driver can utilize both 'wed' and 'wed_hif2' devices for traffic offloading to and from the wireless NIC. However, the current implementation defaults to the primary WED device, which can lead to a crash when 'wed_hif2' is active, such as on a 6GHz link. This issue causes a kernel read error from an inaccessible memory address, triggering a level 1 translation fault.

Impact

Exploitation of this vulnerability leads to a kernel crash, caused by an unreadable memory access, disrupting system operations.

Reproduction

The vulnerability can be reproduced by using a device with a MediaTek MT7996 Wi-Fi chip that supports WED offloading. When the 'wed_hif2' device is active, the MT7996 driver will incorrectly reference the primary WED device during offloading callbacks. This mismanagement will cause a crash by attempting to read from an invalid memory address, which is not permissible, resulting in a data abort exception.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue is fixed.