A recently discovered vulnerability (CVE-2024-26892) in the Linux kernel's wifi module, specifically in the mt76 driver for MediaTek MT7921e chips, can lead to a use-after-free scenario. This can cause unexpected behavior and potentially lead to system instability or security risks. This blog post will discuss the details of the vulnerability, provide a code snippet for better understanding, and talk about the resolution of the issue.
Vulnerability Details
The issue stems from a test that was introduced in the kernel commit a304e1b82808 by the tag "[PATCH] Debug shared irqs". This test aims to ensure that the shared irq handler can manage unexpected events after irq deregistration. The vulnerability occurs due to a use-after-free scenario in the function mt7921_irq_handler() of the mt7921e module. The KASAN (Kernel Address Sanitizer) tool detected this issue by analyzing the read of size 8 at addr ffff88824a7d3b78 created by the "rmmod" task.
In the case of this vulnerability, the MT76_REMOVED flag needs to be applied, indicating that the device was removed and avoiding any further resource access.
The following is a snippet from the call trace reported in the debug logs
<...>
BUG: KASAN: use-after-free in mt7921_irq_handler+xd8/x100 [mt7921e]
Read of size 8 at addr ffff88824a7d3b78 by task rmmod/11115
<...>
mt7921_irq_handler+xd8/x100 [mt7921e]
free_irq+x627/xaa
devm_free_irq+x94/xd
<...>
mt7921_pci_remove+x153/x190 [mt7921e]
pci_device_remove+xa2/x1d
__device_release_driver+x346/x6e
driver_detach+x1ef/x2c
bus_remove_driver+xe7/x2d
pci_unregister_driver+x26/x250
__do_sys_delete_module+x307/x510
<...>
Resolution
To fix this vulnerability, the MT76_REMOVED flag needs to be applied to avoid any further resource access. The commit to the Linux kernel that resolves this issue can be found here.
The following line should be added in the mt7921_pci_remove function in the mt7921e module source code:
set_bit(MT76_REMOVED, &dev->mt76.state);
After applying this flag, the device will not access any resources after it has been removed, mitigating the possibility of a use-after-free scenario.
Conclusion
The CVE-2024-26892 vulnerability has the potential to cause system instability and security risks. However, by applying the MT76_REMOVED flag, the Linux kernel can mitigate the chances of experiencing a use-after-free issue in the mt76 driver for MediaTek MT7921e chips. The commit that resolves this issue has been applied in the kernel and should be incorporated into future releases or provided as a patch to existing installations.
Timeline
Published on: 04/17/2024 11:15:10 UTC
Last modified on: 05/29/2024 05:24:34 UTC