Linux Kernel ath12k Wi-Fi Driver Buffer Type Handling Vulnerability in RX Error Path

A vulnerability exists in the Linux kernel's ath12k Wi-Fi driver, specifically in how it handles buffer types for packets received on the REO exception ring from unassociated peers. The driver expects link descriptor type packets, but instead receives packets of MSDU buffer type. This mismatch causes the driver to skip further processing of these packets, leading to potential kernel crashes and memory leaks, as the associated socket buffer is not properly freed. The issue has been addressed by updating the RX error handler to discard MSDU buffer type packets from unassociated peers, preventing the processing of invalid packets and enhancing the stability of the RX error handling process.

Impact

The vulnerability can cause kernel crashes and memory leaks due to improper handling of packet buffers, which may disrupt system stability and performance.

Reproduction

To reproduce this vulnerability, send packets of MSDU buffer type from unassociated peers to a device using the affected ath12k Wi-Fi driver. The packets will be routed to the REO exception ring, where the driver will fail to process them correctly, leading to a memory leak as the associated socket buffer is not freed. This can be observed by monitoring the device's memory usage and looking for signs of a kernel crash.

Remediation

The vulnerability has been fixed in the Linux kernel. Users can apply the latest patches available in the Linux stable tree to address this issue.