CVE-2024-27391: WiFi WILC100 Workqueue Leakage in Linux Kernel

A vulnerability has been found and resolved in the Linux kernel, involving the WiFi module WILC100. This vulnerability, which has been assigned the identifier CVE-2024-27391, is related to workqueue leakage when adding an interface in the Linux kernel. Before getting into the details of the vulnerability and its resolution, let's delve a little deeper into the concepts of workqueues and WILC100.

Background

Workqueues are a kernel feature in Linux that allows deferring work to be executed in the context of kernel worker threads. They are useful for implementing complex tasks in the kernel, such as handling hardware interrupts or managing memory allocation.

The WILC100 is a single-chip Wireless LAN module from Microchip that operates on the 2.4 GHz frequency band. It supports IEEE 802.11b/g/n standards and is used in various Linux systems for wireless communication.

Vulnerability Details

In the Linux kernel, the WILC100 driver requires only one workqueue. However, the wilc_netdev_ifc_init function, which is called each time an interface is added over a phy, overwrites the workqueue with a new one. As a result, every time an interface is added, a workqueue is leaked. This can be easily observed by running the following commands:

for i in $(seq  10)
do
  iw phy phy interface add wlan1 type managed
  iw dev wlan1 del
done
ps -eo pid,comm|grep wlan

This will output multiple leaked workqueues, as seen in this example

 39 kworker/R-wlan
 98 kworker/R-wlan1
102 kworker/R-wlan1
105 kworker/R-wlan1
...

Resolution

The solution to this vulnerability is to move the workqueue allocation from the wilc_netdev_ifc_init function to the wilc_cfg80211_init function. This ensures that the workqueue is not overwritten with a new one when an interface is added.

The original commit that caused the vulnerability can be found here.

The patch that fixes the vulnerability is as follows

diff --git a/drivers/net/wireless/microchip/wilc100/cfg80211.c b/drivers/net/wireless/microchip/wilc100/cfg80211.c
index 8d67c55..cb99f9 100644
--- a/drivers/net/wireless/microchip/wilc100/cfg80211.c
+++ b/drivers/net/wireless/microchip/wilc100/cfg80211.c
@@ -490,6 +490,12 @@
 	}
 	cfgp->imode = nl80211_get_ifmode(vif);

+	/* Workqueue allocation */
+	hif->hif_workqueue = alloc_ordered_workqueue("WILC_wq-%s",
+					    WQ_FREEZABLE | WQ_MEM_RECLAIM,
+					    wiphy_name(cfgp->wiphy));
+	if (!hif->hif_workqueue)
+		return -ENOMEM;
 	return ;
}

Conclusion

CVE-2024-27391 has been resolved by properly allocating the workqueue in the wilc_cfg80211_init function and avoiding overwriting it when adding interfaces. It is essential to update your Linux kernel to the latest version, including this patch, to protect your system from this vulnerability.

For more information, refer to the following resources

- Original commit introducing the vulnerability
- Linux kernel mailing list discussion on the fix
- Microchip WILC100

Timeline

Published on: 05/01/2024 13:15:51 UTC
Last modified on: 05/29/2024 05:28:17 UTC