Linux Kernel WiFi Driver Out-of-Bounds Access Vulnerability in RTW89 PCI Component

A vulnerability has been identified in the Linux kernel's WiFi driver for the RTW89 PCI component. This issue arises from the driver not properly validating the sequence number in the transmission release report. In rare cases, hardware can report an abnormal sequence number, leading to an out-of-bounds access of the wd_ring->pages array. This flaw causes a NULL pointer dereference, triggering a kernel crash. The vulnerability affects several versions of the Linux kernel, including 6.1.145-17510-g2f3369c91536.

Impact

Exploitation of this vulnerability leads to a kernel NULL pointer dereference, causing a system crash. The error occurs due to an out-of-bounds access in the WiFi driver's transmission release handling, which can be triggered by abnormal sequence numbers reported by the hardware.

Reproduction

The vulnerability can be reproduced by using a WiFi device that employs the RTW89 PCI driver in the Linux kernel. During normal operation, the hardware may occasionally send a transmission release report with an invalid sequence number. The driver fails to validate this sequence number before processing the report, which leads to an out-of-bounds access in the driver's internal data structures. This flaw can be observed by monitoring the system for kernel crashes related to NULL pointer dereferences while the affected WiFi device is in use.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The official Linux kernel Git repository includes the necessary patches. Instructions for downloading the patched kernel can be found in the Linux kernel documentation.