CVE-2024-57899: Linux Kernel Vulnerability Resolved in WiFi Mac80211 on 32-bit Systems

The Linux kernel recently resolved a notable vulnerability found in the mac80211 stack of the WiFi subsystem, specifically on 32-bit systems. The vulnerability could cause corruption of MBSS changed flags, resulting in the incorrect processing of data. This article will provide a comprehensive analysis of the vulnerability, including code snippets, original references, and details on exploitation targets.

The Vulnerability

The root issue in the mac80211 code was found when searching for a set bit in an unsigned long variable with an expected size of 64 bits, while using the or_each_set_bit() function. This scenario would lead to incorrect bit finding, as the variable's size on a 32-bit system is only 4 bytes, while a u64 is 8 bytes.

Here is the offending code snippet that demonstrates the issue

or_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE)

The Solution

To solve this vulnerability, the code must be adjusted to ensure that the size of the bits variable is correctly calculated depending on each architecture. This change will prevent incorrect bit finding in 32-bit systems, essentially resolving the vulnerability.

Below is the call trace showing the issue in the affected code

Call Trace:
  ? show_regs+x54/x58
  ? __warn+x6b/xd4
  ? ieee80211_link_info_change_notify+xcc/xd4 [mac80211]
  ? report_bug+x113/x150
  ? exc_overflow+x30/x30
  ? handle_bug+x27/x44
  ? exc_invalid_op+x18/x50
  ? handle_exception+xf6/xf6
  ? exc_overflow+x30/x30
  ? ieee80211_link_info_change_notify+xcc/xd4 [mac80211]
  ? exc_overflow+x30/x30
  ? ieee80211_link_info_change_notify+xcc/xd4 [mac80211]
  ? ieee80211_mesh_work+xff/x260 [mac80211]
  ? cfg80211_wiphy_work+x72/x98 [cfg80211]
  ? process_one_work+xf1/x1fc
  ? worker_thread+x2c/x3b4
  ? kthread+xc7/xf
  ? mod_delayed_work_on+x4c/x4c
  ? kthread_complete_and_exit+x14/x14
  ? ret_from_fork+x24/x38
  ? kthread_complete_and_exit+x14/x14
  ? ret_from_fork_asm+xf/x14
  ? entry_INT80_32+xf/xf

This fix improved the kernel by restoring the no-op path for scenarios with no changes.

Exploit Details

This vulnerability can affect 32-bit systems and their WiFi subsystems by causing incorrect processing of data, ultimately leading to potential data corruption or other unintended behavior. While this exploit may not be directly traceable by attackers, it could expose systems to security risks if not fixed.

For more information regarding the original reference and the specific details about the CVE-2024-57899, the Linux kernel sources and commit logs can be accessed through their official repositories.

In conclusion, the CVE-2024-57899 vulnerability has been successfully resolved in the Linux kernel and specifically targets the WiFi mac80211 code on 32-bit systems. By ensuring that the correct size of the bits variable is used, the vulnerability has been addressed, and any potential exploits have been mitigated.

Timeline

Published on: 01/15/2025 13:15:14 UTC
Last modified on: 01/20/2025 06:29:10 UTC