CVE-2024-26610 - Wi-Fi Memory Corruption Vulnerability in Linux Kernel Resolved

A recent vulnerability discovered in the Linux kernel, CVE-2024-26610, has been resolved. The vulnerability was found in the iwlwifi component, which is responsible for handling Wi-Fi connections on Intel-based systems. This memory corruption issue could potentially lead to privilege escalation or denial of service attacks. In this post, we will discuss the details of this vulnerability, the code changes that were made to resolve it, and provide links to the original references.

Exploit Details

The specific vulnerability lies in the iwl_fw_ini_trigger_tlv::data, a pointer to a __le32. If data gets copied to iwl_fw_ini_trigger_tlv::data + offset, where the offset is in bytes, it will write past the buffer, causing memory corruption. This memory corruption issue has the potential to lead to various attacks, such as privilege escalation or denial of service.

Code Snippet

The following code snippet shows the incorrect usage of iwl_fw_ini_trigger_tlv::data leading to memory corruption:

void iwl_fw_ini_parse_trigger(const struct iwl_fw_runtime *fwrt,
			      struct iwl_fw_ini_trigger_tlv *trigger_tlv) {

// ... //
memcpy((void *)((u8 *)trigger_tlv->data + le32_to_cpu(collect_off)),
       &cpu_to_le32(val), sizeof(val));
// ... //
}

In order to fix the issue, the pointer arithmetic has been corrected by properly dividing the offset by the size of a __le32. The following code snippet highlights the changes made to resolve the vulnerability:

void iwl_fw_ini_parse_trigger(const struct iwl_fw_runtime *fwrt,
			      struct iwl_fw_ini_trigger_tlv *trigger_tlv) {

// ... //
memcpy((void *)((u8 *)trigger_tlv->data + (le32_to_cpu(collect_off) /
             sizeof(__le32))),
       &cpu_to_le32(val), sizeof(val));
// ... //
}

Notice how the offset is now divided by the size of a __le32 in the corrected code snippet.

The original disclosure of this vulnerability and the subsequent fix can be found at

- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=996580f6bf98025c5c57e684bcf7a2d97d82ec93
- https://lore.kernel.org/netdev/CAP9ODKqmfs3FXuyA58DkcYbVsgPSEk7xMb09QY+xecVxVQtSQ@mail.gmail.com/

Conclusion

The CVE-2024-26610 vulnerability has been addressed in the Linux kernel. The issue was due to incorrect usage of the iwl_fw_ini_trigger_tlv::data pointer, causing memory corruption, which could lead to privilege escalation or denial of service attacks. Thanks to the swift action by the Linux kernel developers, patches have been released to correct this issue. Be sure to update your systems to protect against potential exploitation of this vulnerability.

Timeline

Published on: 03/11/2024 18:15:19 UTC
Last modified on: 03/12/2024 12:40:13 UTC