CVE-2024-57995

Summary

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev()

In ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different radio, it gets deleted from that radio through a call to ath12k_mac_unassign_link_vif(). This action frees the arvif pointer. Subsequently, there is a check involving arvif, which will result in a read-after-free scenario.

Fix this by moving this check after arvif is again assigned via call to ath12k_mac_assign_link_vif().

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxb5068bc9180d06a5ac242b0f9263047c14f86211 < 57100b87c77818cb0d582a92e5cb32fff85c757daffected
LinuxLinuxb5068bc9180d06a5ac242b0f9263047c14f86211 < f3a95a312419e4f1e992525917da9dbcd247038faffected
LinuxLinuxb5068bc9180d06a5ac242b0f9263047c14f86211 < 5a10971c7645a95f5d5dc23c26fbac4bf61801d0affected
LinuxLinux6.10affected
LinuxLinux0 < 6.10unaffected
LinuxLinux6.12.57 <= 6.12.*unaffected
LinuxLinux6.13.2 <= 6.13.*unaffected
LinuxLinux6.14 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References