Linux Kernel mac80211 Fast-RX Result Overwrite Vulnerability

A vulnerability in the Linux kernel's mac80211 wireless subsystem has been addressed. The issue arose because the function ieee80211_invoke_fast_rx() was not properly handling concurrent executions. It declared a per-invocation result variable as static, leading to shared instances between concurrent callers. This allowed one call to overwrite the result of another, potentially causing mismanagement of packets in the mesh networking context. The vulnerability affected the Linux kernel stable tree.

Impact

The vulnerability could lead to incorrect packet processing in mesh networking, allowing packets to be improperly queued or consumed, potentially causing data loss or communication errors.

Reproduction

The vulnerability can be reproduced by invoking the ieee80211_invoke_fast_rx() function concurrently from multiple threads or processes. This can be done by simulating parallel reception of wireless mesh data, which will cause the static result variable to be shared and overwritten between invocations. As a result, packets may be incorrectly processed, either falling through to lower layers of the networking stack or being prematurely returned as queued.

Remediation

The vulnerability has been fixed by changing the declaration of the result variable in ieee80211_invoke_fast_rx() from static to automatic, ensuring that each invocation maintains its own result. Users should upgrade to the latest version of the Linux kernel stable tree where this fix has been applied.