CVE-2024-42114 in Linuxinfo

Summary

by MITRE • 07/30/2024

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values

syzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM to 2^31.

We had a similar issue in sch_fq, fixed with commit d9e15a273306 ("pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM")

watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]
Modules linked in: irq event stamp: 131135 hardirqs last enabled at (131134): [] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]
hardirqs last enabled at (131134): [] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95
hardirqs last disabled at (131135): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
hardirqs last disabled at (131135): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
softirqs last enabled at (125892): [] neigh_hh_init net/core/neighbour.c:1538 [inline]
softirqs last enabled at (125892): [] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553
softirqs last disabled at (125896): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: mld mld_ifc_work pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __list_del include/linux/list.h:195 [inline]
pc : __list_del_entry include/linux/list.h:218 [inline]
pc : list_move_tail include/linux/list.h:310 [inline]
pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 lr : __list_del_entry include/linux/list.h:218 [inline]
lr : list_move_tail include/linux/list.h:310 [inline]
lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854 sp : ffff800093d36700 x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000 x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0 x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0 x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0 x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8 x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470 Call trace: __list_del include/linux/list.h:195 [inline]
__list_del_entry include/linux/list.h:218 [inline]
list_move_tail include/linux/list.h:310 [inline]
fq_tin_dequeue include/net/fq_impl.h:112 [inline]
ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 wake_tx_push_queue net/mac80211/util.c:294 [inline]
ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315 drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]
schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]
ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664 ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966 ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062 __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338 ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532 __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
netdev_start_xmit include/linux/netdevice.h:4917 [inline]
xmit_one net/core/dev.c:3531 [inline]
dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547 __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline]
neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563 neigh_output include/net/neighbour.h:542 [inline]
ip6_fini ---truncated---

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/19/2025

The vulnerability CVE-2024-42114 affects the Linux kernel and specifically involves the cfg80211 subsystem which manages wireless configuration. The flaw occurs when the NL80211_ATTR_TXQ_QUANTUM attribute is set to an invalid value of 2^31, leading to a potential soft lockup condition. This issue stems from a lack of input validation in the wireless subsystem, allowing malicious or malformed input to cause system instability. The vulnerability is particularly concerning because it can trigger a soft lockup, where a CPU becomes unresponsive for extended periods, as evidenced by the watchdog reporting a 26-second stall in the kworker thread. The root cause is similar to a previously identified issue in the sch_fq packet scheduler, which was resolved by commit d9e15a273306 that introduced proper bounds checking for TCA_FQ_QUANTUM values. The stack trace shows the execution path leading to the lockup, beginning with ieee80211_tx_dequeue and progressing through various network subsystem functions including fq_tin_dequeue, indicating that the problematic value causes improper list manipulation within the fq scheduler implementation.

The technical flaw manifests in the wireless subsystem's handling of transmission queue quantum values, where the system fails to validate that the quantum parameter remains within acceptable bounds. When an attacker or faulty driver sets NL80211_ATTR_TXQ_QUANTUM to 2^31, this large value causes the scheduler to enter an infinite loop or extremely long processing time, as the system attempts to process an unrealistic quantum size. The issue is categorized under CWE-129 as an "Improper Validation of Array Index" and also relates to CWE-704 as "Incorrect Type Conversion or Cast" since the large value causes unexpected behavior in the scheduler's internal calculations. The operational impact includes system instability, potential denial of service, and complete system lockup, particularly affecting wireless network operations on affected systems. The vulnerability is particularly dangerous in environments where wireless interfaces are actively used, as it can be triggered through legitimate configuration interfaces or potentially through malicious network traffic.

Mitigation strategies for this vulnerability include immediate patch application to the Linux kernel, specifically the fix that restricts NL80211_ATTR_TXQ_QUANTUM values to valid ranges. System administrators should ensure all wireless drivers and applications properly validate input parameters before sending them to the kernel. The fix implements bounds checking similar to the previous sch_fq implementation, ensuring that quantum values are restricted to reasonable limits. Network administrators should monitor wireless subsystem logs for potential exploitation attempts and consider implementing additional input validation at the application layer. This vulnerability aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: Python" in cases where wireless configuration scripts might be exploited, and T1499.004 for "Network Denial of Service" as the soft lockup can effectively render wireless functionality unavailable. Organizations should also consider implementing kernel lockdown mechanisms and restricting wireless configuration interfaces to trusted users only to minimize the attack surface. The fix should be prioritized in environments with active wireless traffic, particularly in enterprise and cloud computing scenarios where system stability is paramount.

Responsible

Linux

Reservation

07/29/2024

Disclosure

07/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00174

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!