A serious vulnerability, CVE-2024-26895, was recently found and fixed in the Linux kernel's wifi driver for the wilc100 chipset. This bug could let attackers trigger a use-after-free condition that could crash the system or potentially allow execution of malicious code in sensitive environments.

Let's break down what happened, how it was found, and how you could weaponize it, all in simple language.

Background: Where's the Problem?

The wilc100 driver supports Microchip's ATWILC100 WiFi module, common in embedded and IoT devices. Like other drivers, it needs to clean up its network interfaces (called vif), especially when a device is unplugged or the module is removed.

Here’s where the problem was

1. Cleanup (wilc_netdev_cleanup): The driver traversed a list of network interfaces (vif structs), unregistering and freeing them.

This can be demonstrated by removing the driver via

echo spi.1 > /sys/bus/spi/drivers/wilc100_spi/unbind

That will *unbind* the wilc100 driver from a device, triggering cleanup code.

The Kernel Address Sanitizer (KASAN) caught this in action

BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+x508/x5cc
Read of size 4 at addr c54d1ce8 by task sh/86
...
Allocated by task 1:
  ...
  alloc_netdev_mqs
  wilc_netdev_ifc_init
  ...
Freed by task 86:
  ...
  device_release
  kobject_put
  netdev_run_todo
  wilc_netdev_cleanup
  ...

TL;DR: The kernel code freed a list entry while still iterating it, then tried to use it, boom—use-after-free!

Buggy Cleanup Code (Before)

list_for_each_entry(vif, &wilc->vifs, list) {
    unregister_netdev(vif->ndev);
    // vif is freed as a result, but the loop still tries to access it!
}

- The loop expects vif to still be valid on the next iteration, but unregister_netdev ends up freeing it.

Fixed Cleanup Code (After)

struct wilc_vif *vif, *tmp;
list_for_each_entry_safe(vif, tmp, &wilc->vifs, list) {
    list_del_rcu(&vif->list);
    unregister_netdev(vif->ndev);
    // Wait for any possible use of vif to finish
    synchronize_rcu();
}

- Now the list is traversed with list_for_each_entry_safe, which works even if your current element is removed.
- list_del_rcu() safely removes it for current users, and synchronize_rcu() waits until you're sure it's no longer in use.

Who Could Exploit This?

- Local attackers with the ability to load/unload kernel modules or unbind drivers (for example, via /sys).
- *Embedded or IoT environments* where drivers are user-accessible, or device access isn’t fully locked down.

Immediate Impact: System crash (kernel panic).

- Potential: If attackers have control over kernel memory or race conditions, a use-after-free could be turned into code execution with kernel privileges (root).

All you needed to do is run, as root

echo spi.1 > /sys/bus/spi/drivers/wilc100_spi/unbind

On a buggy kernel, this would crash or panic the system.

- In more controlled exploit scenarios, heap spraying and timing attacks could turn this into controlled code execution.

Example: Heap Spraying (Advanced)

Suppose an attacker can allocate/fill the memory right after unregister_netdev frees it; they may control what the next read/write in the driver sees.

Pseudocode

// After unregister_netdev and freeing
allocate_fake_vif_struct();
bind_driver_again(); // Triggers the code to walk the list of vifs, which now points to fake memory

*This takes skill, time, kernel knowledge, and, often, no real exploit is public. But the potential is serious.*

The Root Cause: Poor List Handling

As found in David Mosberger-Tan’s report:

> When unregistering a net device, the netdevice and its private vif are freed, but the list traversal keeps using the old pointer, leading to use-after-free.

Solution: Use safe iteration and RCU (Read-Copy-Update) synchronization to prevent concurrency bugs.

Is It Fixed?

Yes! The patch uses the safe list API and synchronizes freeing pointers. Get the latest kernel. If you build custom drivers, update wilc100 code!

For maintainers: Always use safe iteration (list_for_each_entry_safe) when you may delete nodes from a list during iteration.

References

- Original Report and Patch Discussion
- Linux kernel git commit (rcu/list safety patch—search for wilc100 use-after-free)
- RCU documentation in kernel
- CVE Entry (NVD) *(link will update as database is populated)*

General advice:

- Always use safe APIs for traversing/deleting list structures in the kernel.

Patch is upstream – update your kernels!

If you work with Linux kernel drivers: be careful with resource deletion, especially during list walks, and always use the *_safe and RCU variants when needed.

Timeline

Published on: 04/17/2024 11:15:10 UTC
Last modified on: 01/14/2025 14:33:40 UTC