CVE CyberSecurity Database News

CVE-2024-49857 - Fixing NULL Pointer Dereference in Linux Kernel's iwlwifi: mvm for Secured NDP Ranging

Poster -

A critical vulnerability has been discovered and resolved in the Linux kernel's iwlwifi: mvm module, which is responsible for handling WiFi connectivity. The vulnerability, CVE-2024-49857, results from an improper handling of secured NDP (Neighbor Discovery Protocol) ranging in the cipher pointer. This issue leads to a NULL pointer dereference and could potentially lead to system crashes, denial of service, or other unintended consequences.

In this post, we will discuss the details of the vulnerability, the patch that was applied to resolve the issue, and provide code snippets to help illustrate the problem and its solution.

Details of the Vulnerability

The iwlwifi: mvm module in the Linux kernel is responsible for managing WiFi connections for Intel wireless devices. Specifically, this vulnerability relates to the handling of secured NDP ranging, which is an essential function for discovering and managing wireless networks.

The root cause of the vulnerability is the cipher pointer not being set correctly. When the code tries to access and set the contents of the cipher pointer, it encounters a NULL pointer dereference, leading to a crash or other unintended behavior.

Here's a code snippet showcasing the problematic portion of the code

void func_cipher_params(struct ieee80211_hw *hw, struct sta_info *sta,
        struct ieee80211_key_conf *cipher)
{
    //(...)
    u8 *addr, *key_ptr;
    
    addr = cipher->sta_addr;
    key_ptr = cipher->key[];
    //(...) 

    // This line causes the NULL pointer dereference
    *addr = cipher->hw_key_idx;
}

Proposed Fix for the Vulnerability

The fix proposed for CVE-2024-49857 involves initializing the cipher pointer correctly before attempting to dereference it. This ensures that the code does not encounter a NULL pointer dereference when trying to set the contents of the cipher pointer.

Here's a code snippet with the fix applied

void func_cipher_params(struct ieee80211_hw *hw, struct sta_info *sta,
        struct ieee80211_key_conf *cipher)
{
    //(...)
    u8 *addr, *key_ptr;

    // Properly initialize the cipher pointer
    if (!cipher)
        return;

    addr = cipher->sta_addr;
    key_ptr = cipher->key[];
    //(...) 

    // No longer causes a NULL pointer dereference
    *addr = cipher->hw_key_idx;
}

Original References

Below are some useful links to dive deep into CVE-2024-49857, its explanation and the patch that fixes it:

Conclusion

CVE-2024-49857 is a critical vulnerability in the Linux kernel that affects the handling of secured NDP ranging in Intel's wireless devices. The root cause of the problem is the improper initialization of the cipher pointer, leading to a NULL pointer dereference. The fix applied to resolve the issue involves properly initializing the cipher pointer before attempting to dereference it, preventing potential crashes and other unintended consequences.

By providing the details and code snippets in this post, we hope to help readers gain a better understanding of this vulnerability, its implications, and the steps taken to resolve it. Stay vigilant in keeping your systems updated and robust against threats like this by always applying the latest patches to your system.

Timeline

Published on: 10/21/2024 13:15:06 UTC
Last modified on: 10/22/2024 15:48:42 UTC