CVE-2024-53156 - Out-of-Bounds Array Access in Linux Kernel ath9k WiFi Driver (htc_connect

A security vulnerability, now identified as CVE-2024-53156, was found and fixed in the Linux kernel's WiFi subsystem, specifically in the ath9k driver. If you're running Linux with Atheros wireless cards and using the ath9k driver, this issue is highly relevant to you, especially if you're running on kernels before the fix. This long-read post will break down what happened, why it's important, show you the specific code involved, original references, and share details allowing for deeper understanding.

Component: Linux Kernel, ath9k WiFi driver

- Location: drivers/net/wireless/ath/ath9k/htc_hst.c

What Went Wrong?

A fuzz test revealed an array index out-of-bounds vulnerability in the ath9k WiFi driver. The issue appeared when the driver handled HTC (Host Target Communication) connect_service requests. Due to a missing range check for the conn_rsp_epid value, out-of-bounds array access became possible, potentially leading to a crash (DoS) or worse under certain circumstances.

Bug Details: How It Was Triggered

When the kernel processed HTC connect service responses, the attacker (or a malformed device/firmware or amplified by malicious USB WiFi dongles, etc.) could cause the driver to access and even modify out-of-bounds memory. This is a serious bug for system stability and kernel security.

Take a look at the kernel's feedback when the bug was triggered

UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
index 255 is out of range for type 'htc_endpoint [22]'
CPU:  UID:  PID: 8 Comm: kworker/: Not tainted 6.11.-rc6-dirty #14
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.-1 04/01/2014
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 dump_stack_lvl+x180/x1b
 __ubsan_handle_out_of_bounds+xd4/x130
 htc_issue_send.constprop.+x20c/x230
 ? _raw_spin_unlock_irqrestore+x3c/x70
 ath9k_wmi_cmd+x41d/x610
 ? mark_held_locks+x9f/xe
 ...

Translation: The kernel is screaming about an invalid access — trying to use index 255 in an array that's only 22 elements long. Not good!

Vulnerable Code

// drivers/net/wireless/ath/ath9k/htc_hst.c
// Hypothetical vulnerable snippet:
void htc_connect_service(...) {
    ...
    htc->endpoint[conn_rsp_epid].service_id = ...; // conn_rsp_epid fully untrusted!
    ...
}

What's Wrong?

conn_rsp_epid is set by input, but never checked. An attacker can set this to 255 (or other large value), causing code to read/write far beyond the bounds of the endpoint array (which is only 22 elements).

The Fix and Proper Validation

Patch: A check was added to ensure that conn_rsp_epid is within valid bounds before using it. Simple and effective!

### Patched/Fixed Code

#define HTC_EP_COUNT 22 // as defined elsewhere
void htc_connect_service(...) {
    ...
    if (conn_rsp_epid >= HTC_EP_COUNT) {
        /* invalid index, handle error */
        return;
    }
    htc->endpoint[conn_rsp_epid].service_id = ...;
    ...
}

Official Patch Commit:

- ath9k: add range check for conn_rsp_epid in htc_connect_service() — kernel.org

CVE Entry:

- CVE-2024-53156 at cve.org (pending)

ath9k Driver details:

- ath9k driver at kernel.org

Kernel Bugzilla Report:

- Kernel Bugzilla — ath9k HTC range check issue

How Could an Attacker Use This?

Since the endpoint index comes from untrusted channel data, an attacker with local access (or a malicious peripheral/network actor) could cause memory corruption within the kernel:

- Crash System: By sending a connect response with conn_rsp_epid=255, triggering invalid memory access, crashing or destabilizing the kernel.
- Escalate Privileges: If the accessed memory is carefully targeted (hard in most cases, but plausible), a skilled attacker could manipulate kernel memory structures, possibly leading to privilege escalation or undetected backdoors.

Example Exploit Pseudocode (Concept)

// Simulate malicious input to kernel driver:
struct malicious_req {
    ...
    uint8_t endpoint_id = 255; // Far out-of-bounds
    ...
};
// Sent via network, USB, or even WiFi interface (HTC responses)

Who Is Affected?

- Linux systems running kernels 6.11.-rc6 and earlier (until the patch lands in your distribution).

Systems with Atheros WiFi chipsets using the ath9k driver.

- Systems exposed to malicious devices/networks sending forged HTC connect responses.

Recommendations

- Update Your Kernel: Ensure you use a kernel with the patch applied, or verify your vendor's kernel is patched.
- Monitor dmesg/logs: If you see similar kernel OOPS/UBSAN errors about ath9k and out-of-bounds, update immediately.
- Audit Peripherals: Be cautious with untrusted WiFi/USB adapters and networks.

Conclusion

This bug is a classic example of why even trusted subsystems must always validate all externally sourced parameters. CVE-2024-53156 could have been prevented by a simple bounds check. Thanks to fuzzing and timely patching, the kernel remains robust.

Timeline

Published on: 12/24/2024 12:15:23 UTC
Last modified on: 01/20/2025 06:20:00 UTC

CVE-2024-53156 - Out-of-Bounds Array Access in Linux Kernel ath9k WiFi Driver (htc_connect_service)