CVE-2024-27049 - Understanding and Exploiting the Use-After-Free Bug in Linux Kernel WiFi Driver (mt76, mt7925e)

In February 2024, a critical vulnerability was addressed in the Linux kernel's WiFi subsystem, specifically affecting the Mediatek mt76 driver for the mt7925e chipset. Cataloged as CVE-2024-27049, this bug is a classic *use-after-free* scenario triggered during IRQ (interrupt request) handling when the device is being removed. In this article, we'll break down what happened, how it can be exploited, and how it was fixed — in plain language, with code snippets and all the details you need.

What Is the Issue?

The bug lives in the mt7925e module, which adds support for certain Mediatek WiFi chips under the generic mt76 Linux wireless driver framework. If you plug in or remove Mediatek WiFi hardware or hotplug devices such as laptops using these chips, the relevant code sets up an IRQ handler to manage hardware interrupts.

The vulnerable function is free_irq(), called when the device is being removed (for example, Linux is powering down the device or a user is removing the kernel module). After releasing hardware-associated resources and unregistering the interrupt handler, a race could let the handler logic still execute and act on memory that's already been freed, leading to a *use-after-free* error. This is particularly hazardous in shared IRQ (interrupt) scenarios, which are common on modern hardware.

Why Is This Dangerous?

A *use-after-free* bug can allow unauthorized access to kernel memory — a classic stepping stone for privilege escalation or kernel exploits — and possibly system compromise.

Commit History & Fix

The problematic code was introduced earlier, but was made apparent after a specific commit relating to better debug support for shared IRQs:
> [PATCH] Debug shared irqs
> GitHub commit a304e1b82808

To fix the bug, the developers introduced the MT76_REMOVED flag. This is a boolean state signal that the device has been removed. Setting this flag lets the handler quickly exit if it sees the device is gone, avoiding any further access to freed structures.

Patch reference:
net: wifi: mt76: mt7925e: fix use-after-free in free_irq()

Here's what a simplified vulnerable path would look like

// (Not actual full source)
static irqreturn_t mt7925e_irq_handler(int irq, void *dev_id)
{
    struct mt76_dev *dev = dev_id;

    // Problem: If device was just removed, dev points to freed memory!
    do_something_with(dev);

    return IRQ_HANDLED;
}

// This would be called when device is detached (use-after-free window)
free_irq(..., dev);
kfree(dev);

The kernel can still call the mt7925e_irq_handler after dev is freed!

The fix sets a flag before releasing resources, and the IRQ handler checks the flag

// Add a removed flag to the device struct
struct mt76_dev {
    ...
    unsigned long state; // bit-flags
};

// In the removal routine, before freeing resources:
set_bit(MT76_STATE_REMOVED, &dev->state);
free_irq(..., dev);

// In the IRQ handler:
static irqreturn_t mt7925e_irq_handler(int irq, void *dev_id)
{
    struct mt76_dev *dev = dev_id;

    // Quick exit if device was removed
    if (test_bit(MT76_STATE_REMOVED, &dev->state))
        return IRQ_NONE; // No processing

    do_something_with(dev);
    return IRQ_HANDLED;
}

This check makes sure the handler never touches already-freed memory.

Exploitability & Impact

A local user with the ability to trigger device add/remove, or possibly a rogue kernel module, could orchestrate a race between device teardown and a crafted interrupt. If lucky, the race would hit freed memory, which could be exploited to:

Leak kernel memory: Through pointers previously valid but now containing garbage data.

- Write to kernel memory: If the handler tries to update structures, leading to corruption or code execution.

This sort of bug is a favorite among attackers looking for privilege escalation vectors.

How to Protect Yourself

- Upgrade your kernel: Apply any Linux updates after February 2024 — distros like Ubuntu, Fedora, and Debian have started rolling this fix into their mainline and LTS kernels.
- Block module loading: If possible, prevent untrusted users from loading/unloading kernel modules.
- Disable hotplug if not required: On sensitive systems, restrict device removal/addition capabilities.

References

- Linux Kernel Commit: Fix use-after-free in free_irq (mt7925e driver)
- CVE-2024-27049 on NVD
- mt76 Linux Wi-Fi driver

Conclusion

CVE-2024-27049 is a practical demonstration of how even simple mistakes in fast-moving kernel code can open up severe security holes. The response was quick, but the lesson is clear: always validate resource availability in shared/async code paths, especially with hardware and interrupts. If you're running Linux on hardware with Mediatek WiFi chips, patch now!


If you want to dig deeper, check the original patch here or follow the ongoing discussion on LKML. Stay aware and keep your systems safe!

Timeline

Published on: 05/01/2024 13:15:50 UTC
Last modified on: 12/23/2024 19:11:05 UTC