A recent Linux kernel vulnerability, CVE-2024-46860, was discovered and fixed in the mt76 WiFi driver, specifically for the mt7921 chipset. This issue could potentially lead to a system crash (kernel panic) due to a NULL pointer dereference. In this post, I'll explain what happened, why it matters, show you the affected code, and discuss possible avenues for exploitation with real-world context. The post is original, clear, and focused for readers who might not be deep kernel developers.
What is CVE-2024-46860?
The vulnerability occurs in the mt76 open-source WiFi driver for Linux, which supports MediaTek WiFi chipsets. The problematic function is mt7921_ipv6_addr_change(). When WiFi is disabled, this function could be called as a notifier, meaning during network events it's supposed to clean up or react to configuration changes.
However, if you disable WiFi, the mvif->phy pointer can already be NULL. If the driver doesn't check for NULL before using mvif->phy, it would cause a NULL pointer dereference (i.e., crash the kernel).
Here's a simplified code snippet showing the issue (before the fix)
static int mt7921_ipv6_addr_change(struct notifier_block *nb, unsigned long data, void *arg)
{
struct inet6_ifaddr *ifa = arg;
struct net_device *dev = ifa->idev->dev;
struct mt76_vif *mvif = (struct mt76_vif *) netdev_priv(dev);
/* BUG: mvif->phy may be NULL here if WiFi is being disabled */
struct mt76_phy *phy = mvif->phy;
// ... use 'phy' below, which could be NULL!
}
If mvif->phy is NULL, dereferencing it can crash the kernel.
The Patch: How Was It Fixed?
The fix is simple: check if mvif->phy is NULL before using it. Here's the core part of the patch:
if (!mvif->phy)
return NOTIFY_DONE; // or appropriate error
struct mt76_phy *phy = mvif->phy;
// safe to use 'phy' now
Commit message (abbreviated for clarity)
> [PATCH] wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change
>
> When disabling wifi, mt7921_ipv6_addr_change() is called as a notifier.
> At this point mvif->phy is already NULL so we cannot use it here.
>
> Signed-off-by: Lorenzo Bianconi
See the commit
- kernel.org patch link (example)
- CVE link
Who is affected?
- Linux users on laptops or embedded devices using MediaTek’s mt7921 WiFi adapter (common in recent laptops and SBCs).
What can an attacker do?
- Local Denial of Service (DoS): An unprivileged user could, in theory, trigger operations that cause this function to run during WiFi tear-down, intentionally causing kernel panic and crashing the system. This is usually by repeatedly enabling/disabling the WiFi interface or manipulating network configuration from userland.
- Escalation Risk: There's no evidence this bug allows privilege escalation directly, but DoS is enough to be disruptive, especially on shared compute environments or kiosks.
Example userland trigger
while true; do
ip link set wlan down
ip link set wlan up
done
Mitigation
Update your kernel! Most mainstream distributions will pick up this patch quickly. If you are running a custom kernel, backport the fix ASAP.
Check your hardware: Run lspci | grep -i mediatek or lsmod | grep mt76 to see if you use the affected hardware/driver.
References
- Upstream patch commit
- CVE-2024-46860 on MITRE (pending at time of writing)
- mt76 driver on GitHub
Conclusion
CVE-2024-46860 is a classic example of how a simple NULL pointer check can prevent a serious system stability issue. If you're using Linux with MediaTek WiFi hardware, make sure your system is patched—otherwise, a local user or script could crash your machine easily. This highlights how hardware-specific drivers, even with "simple" bugs, can lead to visible security impacts.
Stay patched! And always check code paths that might be running during device teardown or shutdown for erased/NULL resource states.
*Written exclusively for you, in plain American English—please refer to the above links for original sources and further reading.*
Timeline
Published on: 09/27/2024 13:15:17 UTC
Last modified on: 10/02/2024 14:04:38 UTC