Linux Kernel RS911x WiFi Driver Memory Corruption Vulnerability

A memory corruption vulnerability has been identified in the Linux kernel's RS911x WiFi driver, specifically in the handling of the 'struct ieee80211_vif'. The issue arises because the RS911x driver does not properly set the size of the virtual interface (vif) driver data, leading to a lack of allocated space for necessary driver information. This oversight allows the driver to overwrite adjacent memory, causing corruption and potential system crashes. The vulnerability can be triggered by bringing the wireless interface up and down, which activates the flawed memory handling.

Impact

Exploitation of this vulnerability leads to memory corruption, causing a crash when the corrupted memory is accessed.

Reproduction

The vulnerability can be reproduced by booting the machine with 'init=/bin/sh', mounting 'devtmpfs', 'sysfs', and 'procfs', and then bringing the 'wlan0' interface up and down. This sequence of actions triggers the memory corruption and subsequent crash.

Remediation

The vulnerability has been addressed by modifying the RS911x driver to correctly set the size of the vif driver data, ensuring that adequate memory is allocated for driver-specific information. Users should update to the latest version of the Linux kernel where this fix is applied.