CVE-2024-50236 in Linuxinfo

Summary

by MITRE • 11/09/2024

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath10k: Fix memory leak in management tx

In the current logic, memory is allocated for storing the MSDU context during management packet TX but this memory is not being freed during management TX completion. Similar leaks are seen in the management TX cleanup logic.

Kmemleak reports this problem as below,

unreferenced object 0xffffff80b64ed250 (size 16): comm "kworker/u16:7", pid 148, jiffies 4294687130 (age 714.199s) hex dump (first 16 bytes): 00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00 .+.......t...... backtrace: [] __kmem_cache_alloc_node+0x1e4/0x2d8
[] kmalloc_trace+0x48/0x110
[] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core]
[] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core]
[] process_scheduled_works+0x1ac/0x400
[] worker_thread+0x208/0x328
[] kthread+0x100/0x1c0
[] ret_from_fork+0x10/0x20

Free the memory during completion and cleanup to fix the leak.

Protect the mgmt_pending_tx idr_remove() operation in ath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to other instances.

Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2025

The vulnerability identified as CVE-2024-50236 represents a memory leak within the Linux kernel's wireless subsystem, specifically affecting the ath10k driver used for Qualcomm Wi-Fi chipsets. This issue occurs during the transmission of management packets through the wireless medium, where the kernel fails to properly release allocated memory resources after transmission completion. The problem manifests as a persistent memory allocation that remains unreferenced, creating a condition that can lead to progressive memory exhaustion over time. The memory leak affects the MSDU (Medium Access Control Service Data Unit) context storage mechanism, which is essential for managing wireless management frame transmissions. The vulnerability was detected through kmemleak analysis, a kernel debugging tool designed to identify unreferenced kernel memory allocations that could indicate memory leaks.

The technical flaw stems from improper memory management within the ath10k wireless driver's management transmission logic. During the process of sending management packets, the driver allocates memory to store the MSDU context but fails to execute proper cleanup operations when transmission completes. This oversight creates a situation where allocated kernel memory remains in use but is no longer accessible through normal reference paths. The memory leak is particularly concerning because it occurs in the kernel's wireless subsystem, which operates with elevated privileges and handles critical network communication functions. The backtrace analysis reveals the memory allocation path through standard kernel memory allocation functions including __kmem_cache_alloc_node and kmalloc_trace, indicating that this is a fundamental memory management issue within the driver's operational flow. The leak affects a 16-byte memory block and occurs in the ath10k_wmi_tlv_op_gen_mgmt_tx_send function, which is part of the wireless management interface layer.

The operational impact of this memory leak extends beyond simple resource consumption, potentially leading to system instability and performance degradation in wireless-enabled devices. As the leak accumulates over time, it can contribute to memory pressure that affects overall system performance, particularly on devices with limited memory resources. The vulnerability affects devices running the WCN3990 hardware platform, which is commonly found in various mobile and embedded systems where wireless connectivity is essential. The memory exhaustion could result in system slowdowns, application crashes, or in severe cases, complete system instability. Additionally, the issue impacts the reliability of wireless management operations, potentially causing intermittent connectivity problems or failed management frame transmissions that could affect network security and functionality. The problem is exacerbated by the fact that similar memory leaks exist in the management transmission cleanup logic, suggesting a systemic issue in how the driver handles memory allocation and deallocation for management frames.

The recommended mitigation strategy involves implementing proper memory cleanup operations during both normal completion and error cleanup scenarios for management packet transmissions. The fix requires ensuring that memory allocated for MSDU context is freed appropriately when management transmission completes, while also protecting the mgmt_pending_tx idr_remove() operation with the existing ar->data_lock mechanism. This approach aligns with established kernel development practices for memory management and prevents the accumulation of unreferenced memory blocks. The solution addresses the root cause by ensuring that all allocated resources are properly returned to the kernel's memory management system. The fix also includes synchronizing access to shared data structures using existing locking mechanisms, which prevents race conditions and ensures data integrity during concurrent management frame operations. This remediation approach follows standard kernel security practices and aligns with the principles outlined in CWE-401 (Improper Release of Memory) and ATT&CK technique T1490 (Inhibit System Recovery) by preventing resource exhaustion that could lead to system instability or denial of service conditions. The implementation should be tested thoroughly on affected hardware platforms to ensure that the memory leak is resolved without introducing regressions in wireless functionality or performance.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00261

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!