CVE-2024-26897: Linux Kernel Vulnerability Resolved in Ath9k Driver Initialization Sequence

In the Linux kernel, a vulnerability has been discovered and resolved pertaining to the Ath9k wireless device driver, specifically within the ath9k_wmi_event_tasklet() function. This vulnerability, assigned CVE-2024-26897, could potentially cause issues due to the incomplete initialization of required data structures.

Details

The Linux kernel uses the ath9k_htc module to handle the Atheros chipset-based WiFi devices. The ath9k_wmi_event_tasklet() function is an essential part of the module that assumes all required data structures have been fully initialized before it runs. However, this assumption proves to be inaccurate due to the order of initialization, which exposes the device to the USB subsystem before the Ath9k driver initialization is completed.

A partial fix for this issue was introduced in commit 8b3046abc99e ("ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()"), which only aborted the WMI_TXSTATUS_EVENTID command in the event tasklet paired with an "initialization complete" bit in the TX struct.

The Exploit

Despite the above-mentioned partial fix, the vulnerability still exists, and it has been reported that syzbot managed to trigger this race for one of the other commands as well. This highlights the need for a more comprehensive solution.

The Proposed Solution

Instead of only addressing the WMI_TXSTATUS_EVENTID command, the existing synchronisation bit should cover the entire tasklet function. This can be achieved by moving the synchronisation bit to the end of the ath9k_htc_probe_device(), instead of setting it within the ath9k_tx_init() function. This change will ensure that the entire tasklet is protected and only runs after the device initialization is complete, ultimately fixing the vulnerabilityCVE-2024-26897.

Code Snippet

The following code snippet demonstrates the placement of the synchronisation bit in the proposed solution:

void ath9k_htc_probe_device(struct ath9k_htc_priv *priv) {
    ...
    // Initialization code
    ...
    // Set the initialization complete bit
    set_bit(ATH9K_HTC_INIT_DONE, &priv->op_flags);
}

Original references

1. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8b3046abc99e7f64603f380b48acdf7c3e65cd32
2. https://www.kernel.org/doc/html/latest/networking/ath9k/index.html

Conclusion

By addressing the entire ath9k_wmi_event_tasklet() function and ensuring its execution only after the device initialization is complete, this vulnerability has been effectively mitigated. Users should update their Linux kernels to incorporate the changes and help secure their systems from potential exploits associated with CVE-2024-26897.

Timeline

Published on: 04/17/2024 11:15:10 UTC
Last modified on: 06/25/2024 23:15:27 UTC