CVE-2024-49857 - Breaking Down the Linux Kernel WiFi Vulnerability in iwlwifi mvm (Cipher Pointer NULL Dereference)
---
Introduction
A critical vulnerability, CVE-2024-49857, hit the Linux kernel's iwlwifi driver, raising red flags for everyone using WiFi on Linux systems. If you use laptops or PCs with Intel wireless chips, this bug could have put your system at risk of crashing due to a NULL pointer dereference in the iwlwifi module. Let's break down what happened, how it got fixed, and why it matters—with code samples and hands-on details.
What Is CVE-2024-49857?
In easy terms, this bug lives in the iwlwifi driver (Intel's WiFi chips) inside the Linux kernel. Specifically, it's in the "iwlmvm" (Intel Wireless Multi Virtual Machine) section, dealing with NDP (Neighbor Discovery Protocol) ranging—an advanced WiFi feature.
The Issue:
When setting up a secure NDP session (like when negotiating secure WiFi connections for device location or mesh networking), the code tries to set a "cipher" (encryption algorithm). But the pointer that’s supposed to refer to the cipher isn’t actually pointing anywhere—it's NULL. The kernel code then tries to write to where the pointer should be, causing a "NULL pointer dereference." That'll crash your system in a heartbeat.
Let's see the problematic code, as discovered in the kernel source before the fix (for illustration)
int iwl_mvm_ftm_range_req(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
struct cfg80211_pmsr_request *request)
{
// ... various code ...
if (request->secure) {
struct ieee80211_key_conf *key = NULL;
// ... get encryption parameters ...
key->cipher = IWL_CIPHER_SUITE_GCMP; // <-- Will crash if 'key' is NULL!
}
// ...
return ;
}
Here, if key isn't set properly, writing to key->cipher will dereference a NULL pointer—and boom! Kernel panic.
Real-World Effect:
If triggered (sometimes automatically through WiFi operations), the system running this code will crash instantly. Attackers might be able to use this to cause denial-of-service (DoS).
Here's the simplified patch that fixed it
if (request->secure) {
struct ieee80211_key_conf *key = get_the_key_somehow(); // Now it’s set!
if (key) {
key->cipher = IWL_CIPHER_SUITE_GCMP;
}
}
In plain words: The code makes sure the cipher pointer isn't NULL before writing to it. Simple but crucial.
Upstream Patch:
Read the official patch here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=921ebe7f44
Exploit Details
There’s no published working exploit for remote code execution. This flaw is a classic local DoS (Denial-of-Service). But, in theory, a local user or even a buggy userspace process fiddling with WiFi settings (especially using advanced features, mesh networking, or location services) could trigger the bug and crash the machine. In environments with automated WiFi scans or mesh setups, it could trigger randomly, leading to random kernel panics.
Here's a mockup using Linux wireless tools
# This would require special privileges and private test code!
iw dev wlan pmsr start secure=1 cipher=none
*(Don’t try this at home unless you know exactly what you’re doing!)*
Who’s Affected?
- Any up-to-date Linux system running Intel WiFi (iwlwifi) drivers not yet patched for kernel versions before the fix.
Links & References
- Official CVE entry for CVE-2024-49857 (Mitre)
- Upstream kernel patch, explanation in the commit message
- iwlwifi driver source
- Linux Kernel Mailing List: wifi: iwlwifi: mvm: set the cipher for secured NDP ranging
Stay safe, stay updated.
*This technical deep-dive was written to help Linux users and sysadmins understand CVE-2024-49857 quickly and precisely. For more details, follow the links above!*
Timeline
Published on: 10/21/2024 13:15:06 UTC
Last modified on: 10/22/2024 15:48:42 UTC