CVE-2024-40911

CVE Details

Release Date:

2024-07-12

Description

In the Linux kernel, the following vulnerability has been resolved:\nwifi: cfg80211: Lock wiphy in cfg80211_get_station\nWiphy should be locked before calling rdev_get_station() (see lockdep\nassert in ieee80211_get_station()).\nThis fixes the following kernel NULL dereference:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000050\nMem abort info:\nESR = 0x0000000096000006\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x06: level 2 translation fault\nData abort info:\nISV = 0, ISS = 0x00000006\nCM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000\n[0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] SMP\nModules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath\nCPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705\nHardware name: RPT (r1) (DT)\nWorkqueue: bat_events batadv_v_elp_throughput_metric_update\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\nlr : sta_set_sinfo+0xcc/0xbd4\nsp : ffff000007b43ad0\nx29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98\nx26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000\nx23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc\nx20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000\nx17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d\nx14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e\nx11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000\nx8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000\nx5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90\nx2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000\nCall trace:\nath10k_sta_statistics+0x10/0x2dc [ath10k_core]\nsta_set_sinfo+0xcc/0xbd4\nieee80211_get_station+0x2c/0x44\ncfg80211_get_station+0x80/0x154\nbatadv_v_elp_get_throughput+0x138/0x1fc\nbatadv_v_elp_throughput_metric_update+0x1c/0xa4\nprocess_one_work+0x1ec/0x414\nworker_thread+0x70/0x46c\nkthread+0xdc/0xe0\nret_from_fork+0x10/0x20\nCode: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)\nThis happens because STA has time to disconnect and reconnect before\nbatadv_v_elp_throughput_metric_update() delayed work gets scheduled. In\nthis situation, ath10k_sta_state() can be in the middle of resetting\narsta data when the work queue get chance to be scheduled and ends up\naccessing it. Locking wiphy prevents that.

See more information about CVE-2024-40911 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	4.4	CVSS Vector:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Local network	Attack Complexity:	Low
Privileges Required:	High	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12618	2024-09-12
Oracle Linux version 9 (kernel)	ELSA-2024-5928	2024-08-28
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12618	2024-09-12