CVE-2024-43911 in Linux
Summary
by MITRE • 08/26/2024
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix NULL dereference at band check in starting tx ba session
In MLD connection, link_data/link_conf are dynamically allocated. They don't point to vif->bss_conf. So, there will be no chanreq assigned to vif->bss_conf and then the chan will be NULL. Tweak the code to check ht_supported/vht_supported/has_he/has_eht on sta deflink.
Crash log (with rtw89 version under MLO development): [ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 9890.526102] #PF: supervisor read access in kernel mode
[ 9890.526105] #PF: error_code(0x0000) - not-present page
[ 9890.526109] PGD 0 P4D 0
[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI
[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1
[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018
[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]
[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211
[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3
All code ======== 0: f7 e8 imul %eax 2: d5 (bad) 3: 93 xchg %eax,%ebx 4: 3e ea ds (bad) 6: 48 83 c4 28 add $0x28,%rsp a: 89 d8 mov %ebx,%eax c: 5b pop %rbx d: 41 5c pop %r12 f: 41 5d pop %r13 11: 41 5e pop %r14 13: 41 5f pop %r15 15: 5d pop %rbp 16: c3 retq 17: cc int3 18: cc int3 19: cc int3 1a: cc int3 1b: 49 8b 84 24 e0 f1 ff mov -0xe20(%r12),%rax 22: ff 23: 48 8b 80 90 1b 00 00 mov 0x1b90(%rax),%rax 2a:* 83 38 03 cmpl $0x3,(%rax) <-- trapping instruction 2d: 0f 84 37 fe ff ff je 0xfffffffffffffe6a 33: bb ea ff ff ff mov $0xffffffea,%ebx 38: eb cc jmp 0x6 3a: 49 rex.WB 3b: 8b .byte 0x8b 3c: 84 24 10 test %ah,(%rax,%rdx,1) 3f: f3 repz
Code starting with the faulting instruction =========================================== 0: 83 38 03 cmpl $0x3,(%rax) 3: 0f 84 37 fe ff ff je 0xfffffffffffffe40 9: bb ea ff ff ff mov $0xffffffea,%ebx e: eb cc jmp 0xffffffffffffffdc 10: 49 rex.WB 11: 8b .byte 0x8b 12: 84 24 10 test %ah,(%rax,%rdx,1) 15: f3 repz [ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246
[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8
[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685
[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873
[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70
[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000
[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000
[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0
[ 9890.526321] Call Trace:
[ 9890.526324]
[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)
[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)
[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator
---truncated---
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/19/2024
The vulnerability described in CVE-2024-43911 affects the Linux kernel's mac80211 subsystem, specifically within the IEEE 802.11 wireless networking stack. This issue manifests as a NULL pointer dereference during the initiation of a transmission block acknowledgment (BA) session in multi-link operation (MLO) environments. The root cause stems from improper handling of dynamically allocated link data structures in MLO connections, where link_data and link_conf are not tied to vif->bss_conf. In such cases, no channel request is assigned to vif->bss_conf, resulting in a NULL channel pointer that leads to a kernel crash when attempting to access wireless capabilities such as HT, VHT, HE, or EHT support. The crash occurs in the ieee80211_start_tx_ba_session function located in net/mac80211/agg-tx.c at line 618, where the code attempts to dereference a NULL pointer when checking wireless capabilities on a station's default link rather than on the correct data structure.
The technical flaw represents a classic null pointer dereference condition that aligns with CWE-476, which defines NULL pointer dereference as a condition where a null value is used as a pointer. This vulnerability is particularly critical in wireless networking contexts where kernel memory corruption can lead to system instability, denial of service, or potential privilege escalation. The issue specifically impacts devices using the rtw89 driver under MLO development, where the kernel's wireless subsystem fails to properly validate pointer references before accessing wireless configuration data. The crash log indicates that the kernel attempted to access memory at address zero, which is a clear symptom of a NULL pointer dereference. The execution trace shows that the fault occurs in a function that handles transmission block acknowledgment sessions, which are essential for wireless network performance optimization and reliability.
The operational impact of this vulnerability extends beyond simple system crashes, as it can lead to complete wireless connectivity failures in affected devices. In enterprise or embedded environments where wireless networking is critical for operations, such a vulnerability could result in service disruptions that are difficult to diagnose and remediate. The vulnerability affects devices using the Realtek rtw89 driver in multi-link operation mode, which is increasingly common in modern wireless networking equipment that supports advanced 802.11 standards. From an ATT&CK perspective, this vulnerability could be leveraged in a denial of service attack against wireless infrastructure, potentially disrupting network services and requiring system reboots or driver updates to resolve. The vulnerability is particularly concerning because it can be triggered by normal wireless network operations without requiring special privileges or user interaction.
Mitigation strategies for this vulnerability include immediate kernel updates that implement the fix for the mac80211 subsystem, ensuring that wireless capabilities are checked against the correct data structures rather than potentially NULL pointers. System administrators should prioritize applying kernel patches that address the specific NULL pointer dereference in the ieee80211_start_tx_ba_session function, particularly in environments where MLO or multi-link wireless operations are in use. The fix involves modifying the code to check ht_supported, vht_supported, has_he, and has_eht flags on the station's default link rather than on potentially NULL bss_conf structures. Additionally, monitoring wireless network operations for unexpected crashes or connectivity issues can help identify systems affected by this vulnerability. Organizations should also consider implementing network segmentation and redundancy measures to minimize the impact of potential wireless service disruptions while patches are being deployed. The vulnerability demonstrates the importance of proper memory management in kernel space and highlights the need for comprehensive testing of wireless networking drivers in complex multi-link scenarios.