CVE-2024-56599

Summary

CVE-2024-56599 is a vulnerability affecting the Linux kernel's wifi driver, specifically ath10k. The issue arises when theDriver is being removed using 'rmmod ath10k'. In this process, the sdio workqueue is destroyed before the ath10k_core_destroy() function, which leads to a NULL pointer error during destroy_workqueue(). This error occurs because the wiphy_dev_release() function, called in ath10k_core_destroy(), frees the struct cfg80211_registered_device *rdev and its members, including the sdio workqueue pointer. Once the pointer is set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON, destroy_workqueue() uses the NULL pointer, resulting in a kernel panic. To mitigate this issue, destroy_workqueue() should be called before ath10k_core_destroy(), ensuring the work queue buffer is freed first. No work is queued on the sdio workqueue between its destruction and ath10k_core_destroy() call. The only functions queuing work on the sdio workqueue are ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg(), and ath10k_sdio_irq_disable(). The sleep timer is deleted before ath10k_core_destroy() in ath10k_hif_power_down(), ath10k_sdio_irq_disable() is only called in ath10k_hif_stop(), and ath10k_core_unregister() calls ath10k_hif_power_down() to stop the hif bus, preventing ath10k_sdio_hif_tx_sg() from being called anymore. This vulnerability has been identified and tested on QCA6174 hw3.2 SDIO WLAN.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.