{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-56541", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-27T14:03:05.988Z", "datePublished": "2024-12-27T14:11:23.219Z", "dateUpdated": "2024-12-27T14:11:23.219Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-27T14:11:23.219Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()\n\nDuring ath12k module removal, in ath12k_core_deinit(),\nath12k_mac_destroy() un-registers ah->hw from mac80211 and frees\nthe ah->hw as well as all the ar's in it. After this\nath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup()\ntries to access one of the freed ar's from pending skb.\n\nThis is because during mac destroy, driver failed to flush few\ndata packets, which were accessed later in ath12k_dp_cc_cleanup()\nand freed, but using ar from the packet led to this use-after-free.\n\nBUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\nWrite of size 4 at addr ffff888150bd3514 by task modprobe/8926\nCPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted\n6.11.0-rc2-wt-ath+ #1746\nHardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS\nHNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n\nCall Trace:\n <TASK>\n dump_stack_lvl+0x7d/0xe0\n print_address_description.constprop.0+0x33/0x3a0\n print_report+0xb5/0x260\n ? kasan_addr_to_slab+0x24/0x80\n kasan_report+0xd8/0x110\n ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n kasan_check_range+0xf3/0x1a0\n __kasan_check_write+0x14/0x20\n ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n ath12k_dp_free+0x178/0x420 [ath12k]\n ath12k_core_stop+0x176/0x200 [ath12k]\n ath12k_core_deinit+0x13f/0x210 [ath12k]\n ath12k_pci_remove+0xad/0x1c0 [ath12k]\n pci_device_remove+0x9b/0x1b0\n device_remove+0xbf/0x150\n device_release_driver_internal+0x3c3/0x580\n ? __kasan_check_read+0x11/0x20\n driver_detach+0xc4/0x190\n bus_remove_driver+0x130/0x2a0\n driver_unregister+0x68/0x90\n pci_unregister_driver+0x24/0x240\n ? find_module_all+0x13e/0x1e0\n ath12k_pci_exit+0x10/0x20 [ath12k]\n __do_sys_delete_module+0x32c/0x580\n ? module_flags+0x2f0/0x2f0\n ? kmem_cache_free+0xf0/0x410\n ? __fput+0x56f/0xab0\n ? __fput+0x56f/0xab0\n ? debug_smp_processor_id+0x17/0x20\n __x64_sys_delete_module+0x4f/0x70\n x64_sys_call+0x522/0x9f0\n do_syscall_64+0x64/0x130\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f8182c6ac8b\n\nCommit 24de1b7b231c (\"wifi: ath12k: fix flush failure in recovery\nscenarios\") added the change to decrement the pending packets count\nin case of recovery which make sense as ah->hw as well all\nar's in it are intact during recovery, but during core deinit there\nis no use in decrementing packets count or waking up the empty waitq\nas the module is going to be removed also ar's from pending skb's\ncan't be used and the packets should just be released back.\n\nTo fix this, avoid accessing ar from skb->cb when driver is being\nunregistered.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath12k/dp.c"], "versions": [{"version": "24de1b7b231cf01d08d12db26e66b0c46253a7da", "lessThan": "e5e15c8b42923bfb6c84d3d906a9965d9a0f111d", "status": "affected", "versionType": "git"}, {"version": "24de1b7b231cf01d08d12db26e66b0c46253a7da", "lessThan": "35be5018a2a4d1b07bdfcf957c81121d22d16355", "status": "affected", "versionType": "git"}, {"version": "24de1b7b231cf01d08d12db26e66b0c46253a7da", "lessThan": "bdb281103373fd80eb5c91cede1e115ba270b4e9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath12k/dp.c"], "versions": [{"version": "6.10", "status": "affected"}, {"version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.11", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.2", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/e5e15c8b42923bfb6c84d3d906a9965d9a0f111d"}, {"url": "https://git.kernel.org/stable/c/35be5018a2a4d1b07bdfcf957c81121d22d16355"}, {"url": "https://git.kernel.org/stable/c/bdb281103373fd80eb5c91cede1e115ba270b4e9"}], "title": "wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "158A6B22-9260-41D7-965A-A81798A5A969", "versionEndExcluding": "6.11.11", "versionStartIncluding": "6.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776", "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()\n\nDuring ath12k module removal, in ath12k_core_deinit(),\nath12k_mac_destroy() un-registers ah->hw from mac80211 and frees\nthe ah->hw as well as all the ar's in it. After this\nath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup()\ntries to access one of the freed ar's from pending skb.\n\nThis is because during mac destroy, driver failed to flush few\ndata packets, which were accessed later in ath12k_dp_cc_cleanup()\nand freed, but using ar from the packet led to this use-after-free.\n\nBUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\nWrite of size 4 at addr ffff888150bd3514 by task modprobe/8926\nCPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted\n6.11.0-rc2-wt-ath+ #1746\nHardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS\nHNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n\nCall Trace:\n <TASK>\n dump_stack_lvl+0x7d/0xe0\n print_address_description.constprop.0+0x33/0x3a0\n print_report+0xb5/0x260\n ? kasan_addr_to_slab+0x24/0x80\n kasan_report+0xd8/0x110\n ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n kasan_check_range+0xf3/0x1a0\n __kasan_check_write+0x14/0x20\n ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n ath12k_dp_free+0x178/0x420 [ath12k]\n ath12k_core_stop+0x176/0x200 [ath12k]\n ath12k_core_deinit+0x13f/0x210 [ath12k]\n ath12k_pci_remove+0xad/0x1c0 [ath12k]\n pci_device_remove+0x9b/0x1b0\n device_remove+0xbf/0x150\n device_release_driver_internal+0x3c3/0x580\n ? __kasan_check_read+0x11/0x20\n driver_detach+0xc4/0x190\n bus_remove_driver+0x130/0x2a0\n driver_unregister+0x68/0x90\n pci_unregister_driver+0x24/0x240\n ? find_module_all+0x13e/0x1e0\n ath12k_pci_exit+0x10/0x20 [ath12k]\n __do_sys_delete_module+0x32c/0x580\n ? module_flags+0x2f0/0x2f0\n ? kmem_cache_free+0xf0/0x410\n ? __fput+0x56f/0xab0\n ? __fput+0x56f/0xab0\n ? debug_smp_processor_id+0x17/0x20\n __x64_sys_delete_module+0x4f/0x70\n x64_sys_call+0x522/0x9f0\n do_syscall_64+0x64/0x130\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f8182c6ac8b\n\nCommit 24de1b7b231c (\"wifi: ath12k: fix flush failure in recovery\nscenarios\") added the change to decrement the pending packets count\nin case of recovery which make sense as ah->hw as well all\nar's in it are intact during recovery, but during core deinit there\nis no use in decrementing packets count or waking up the empty waitq\nas the module is going to be removed also ar's from pending skb's\ncan't be used and the packets should just be released back.\n\nTo fix this, avoid accessing ar from skb->cb when driver is being\nunregistered.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath12k: arreglo de use-after-free en ath12k_dp_cc_cleanup() Durante la eliminaci\u00f3n del m\u00f3dulo ath12k, en ath12k_core_deinit(), ath12k_mac_destroy() anula el registro de ah-&gt;hw de mac80211 y libera el ah-&gt;hw as\u00ed como todos los ar en \u00e9l. Despu\u00e9s de esto, ath12k_core_soc_destroy()-&gt; ath12k_dp_free()-&gt; ath12k_dp_cc_cleanup() intenta acceder a uno de los ar liberados del skb pendiente. Esto se debe a que durante la destrucci\u00f3n de mac, el controlador no pudo limpiar algunos paquetes de datos, a los que se accedi\u00f3 m\u00e1s tarde en ath12k_dp_cc_cleanup() y se liberaron, pero el uso de ar del paquete provoc\u00f3 este use-after-free. ERROR: KASAN: use-after-free en ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] Escritura de tama\u00f1o 4 en la direcci\u00f3n ffff888150bd3514 por la tarea modprobe/8926 CPU: 0 UID: 0 PID: 8926 Comm: modprobe No contaminado 6.11.0-rc2-wt-ath+ #1746 Nombre del hardware: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 28/05/2021 Seguimiento de llamadas: dump_stack_lvl+0x7d/0xe0 direcci\u00f3n_de_impresi\u00f3n_descripci\u00f3n.constprop.0+0x33/0x3a0 informe_de_impresi\u00f3n+0xb5/0x260 ? direcci\u00f3n_kasan_a_losa+0x24/0x80 informe_kasan+0xd8/0x110 ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] rango de comprobaci\u00f3n de kasan+0xf3/0x1a0 __comprobaci\u00f3n de escritura de kasan+0x14/0x20 ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] dp_free+0x178/0x420 [ath12k] n\u00facleo_detenci\u00f3n+0x176/0x200 [ath12k] n\u00facleo_deinit+0x13f/0x210 [ath12k] eliminaci\u00f3n de pci+0xad/0x1c0 [ath12k] eliminaci\u00f3n de dispositivo pci+0x9b/0x1b0 dispositivo_eliminar+0xbf/0x150 dispositivo_liberaci\u00f3n_controlador_interno+0x3c3/0x580 ? __kasan_check_read+0x11/0x20 controlador_desconectar+0xc4/0x190 bus_eliminar_controlador+0x130/0x2a0 controlador_anular_registro+0x68/0x90 pci_anular_registro_controlador+0x24/0x240 ? buscar_m\u00f3dulo_todos+0x13e/0x1e0 ath12k_pci_exit+0x10/0x20 [ath12k] __do_sys_eliminar_m\u00f3dulo+0x32c/0x580 ? m\u00f3dulo_indicadores+0x2f0/0x2f0 ? kmem_cache_libre+0xf0/0x410 ? __fput+0x56f/0xab0 ? __fput+0x56f/0xab0 ? debug_smp_processor_id+0x17/0x20 __x64_sys_delete_module+0x4f/0x70 x64_sys_call+0x522/0x9f0 do_syscall_64+0x64/0x130 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f8182c6ac8b Commit 24de1b7b231c (\"wifi: ath12k: corregir falla de vaciado en escenarios de recuperaci\u00f3n\") agreg\u00f3 el cambio para disminuir el conteo de paquetes pendientes en caso de recuperaci\u00f3n, lo que tiene sentido ya que ah-&gt;hw y todos los ar en \u00e9l est\u00e1n intactos durante la recuperaci\u00f3n, pero durante la desincializaci\u00f3n del n\u00facleo no tiene sentido disminuir el conteo de paquetes o despertar el waitq vac\u00edo ya que el m\u00f3dulo tambi\u00e9n se eliminar\u00e1. Los paquetes de skb pendientes no se pueden usar y los paquetes deber\u00edan simplemente liberarse. Para solucionar esto, evite acceder a ar desde skb-&gt;cb cuando se est\u00e1 anulando el registro del controlador. Probado en: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1 Probado en: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"}], "id": "CVE-2024-56541", "lastModified": "2025-01-08T21:25:24.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-12-27T14:15:33.767", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/35be5018a2a4d1b07bdfcf957c81121d22d16355"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bdb281103373fd80eb5c91cede1e115ba270b4e9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e5e15c8b42923bfb6c84d3d906a9965d9a0f111d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()", "id": "2334456", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334456"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nwifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()\nDuring ath12k module removal, in ath12k_core_deinit(),\nath12k_mac_destroy() un-registers ah->hw from mac80211 and frees\nthe ah->hw as well as all the ar's in it. After this\nath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup()\ntries to access one of the freed ar's from pending skb.\nThis is because during mac destroy, driver failed to flush few\ndata packets, which were accessed later in ath12k_dp_cc_cleanup()\nand freed, but using ar from the packet led to this use-after-free.\nBUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\nWrite of size 4 at addr ffff888150bd3514 by task modprobe/8926\nCPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted\n6.11.0-rc2-wt-ath+ #1746\nHardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS\nHNKBLi70.86A.0067.2021.0528.1339 05/28/2021\nCall Trace:\n<TASK>\ndump_stack_lvl+0x7d/0xe0\nprint_address_description.constprop.0+0x33/0x3a0\nprint_report+0xb5/0x260\n? kasan_addr_to_slab+0x24/0x80\nkasan_report+0xd8/0x110\n? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\nkasan_check_range+0xf3/0x1a0\n__kasan_check_write+0x14/0x20\nath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\nath12k_dp_free+0x178/0x420 [ath12k]\nath12k_core_stop+0x176/0x200 [ath12k]\nath12k_core_deinit+0x13f/0x210 [ath12k]\nath12k_pci_remove+0xad/0x1c0 [ath12k]\npci_device_remove+0x9b/0x1b0\ndevice_remove+0xbf/0x150\ndevice_release_driver_internal+0x3c3/0x580\n? __kasan_check_read+0x11/0x20\ndriver_detach+0xc4/0x190\nbus_remove_driver+0x130/0x2a0\ndriver_unregister+0x68/0x90\npci_unregister_driver+0x24/0x240\n? find_module_all+0x13e/0x1e0\nath12k_pci_exit+0x10/0x20 [ath12k]\n__do_sys_delete_module+0x32c/0x580\n? module_flags+0x2f0/0x2f0\n? kmem_cache_free+0xf0/0x410\n? __fput+0x56f/0xab0\n? __fput+0x56f/0xab0\n? debug_smp_processor_id+0x17/0x20\n__x64_sys_delete_module+0x4f/0x70\nx64_sys_call+0x522/0x9f0\ndo_syscall_64+0x64/0x130\nentry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f8182c6ac8b\nCommit 24de1b7b231c (\"wifi: ath12k: fix flush failure in recovery\nscenarios\") added the change to decrement the pending packets count\nin case of recovery which make sense as ah->hw as well all\nar's in it are intact during recovery, but during core deinit there\nis no use in decrementing packets count or waking up the empty waitq\nas the module is going to be removed also ar's from pending skb's\ncan't be used and the packets should just be released back.\nTo fix this, avoid accessing ar from skb->cb when driver is being\nunregistered.\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"], "name": "CVE-2024-56541", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-12-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-56541\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56541\nhttps://lore.kernel.org/linux-cve-announce/2024122727-CVE-2024-56541-1c83@gregkh/T"], "threat_severity": "Moderate"}