CVE-2024-26897
Vulnerability from cvelistv5
Published
2024-04-17 10:27
Modified
2024-12-19 08:49
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete The ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data structures have been fully initialised by the time it runs. However, because of the order in which things are initialised, this is not guaranteed to be the case, because the device is exposed to the USB subsystem before the ath9k driver initialisation is completed. We already committed a partial fix for this in commit: 8b3046abc99e ("ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()") However, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event tasklet, pairing it with an "initialisation complete" bit in the TX struct. It seems syzbot managed to trigger the race for one of the other commands as well, so let's just move the existing synchronisation bit to cover the whole tasklet (setting it at the end of ath9k_htc_probe_device() instead of inside ath9k_tx_init()).
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Impacted products
Vendor Product Version
Linux Linux Version: 5.17
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.691Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26897",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:48:09.627095Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:23.543Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath9k/htc.h",
            "drivers/net/wireless/ath/ath9k/htc_drv_init.c",
            "drivers/net/wireless/ath/ath9k/htc_drv_txrx.c",
            "drivers/net/wireless/ath/ath9k/wmi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1bc5461a21c56a36e2a7d81e152b90ce019a3905",
              "status": "affected",
              "version": "78c8397132dd4735ac6a7b5a651302f0b9f264ad",
              "versionType": "git"
            },
            {
              "lessThan": "f8ff4b4df71e87f609be0cc37d92e918107f9b90",
              "status": "affected",
              "version": "735aefae7b68025cd04c482a940c0f6fc6797a63",
              "versionType": "git"
            },
            {
              "lessThan": "74d0639261dd795dce958d1b14815bdcbb48a715",
              "status": "affected",
              "version": "8b3046abc99eefe11438090bcc4ec3a3994b55d0",
              "versionType": "git"
            },
            {
              "lessThan": "a015fbf698c8957aa5fbeefc5c59dd2cf3107298",
              "status": "affected",
              "version": "8b3046abc99eefe11438090bcc4ec3a3994b55d0",
              "versionType": "git"
            },
            {
              "lessThan": "ac90e22e735bac44f74b5161fb096fbeb0ff8bc2",
              "status": "affected",
              "version": "8b3046abc99eefe11438090bcc4ec3a3994b55d0",
              "versionType": "git"
            },
            {
              "lessThan": "4afa0246656d5680c8a4c3fb37ba6570c4ab819b",
              "status": "affected",
              "version": "8b3046abc99eefe11438090bcc4ec3a3994b55d0",
              "versionType": "git"
            },
            {
              "lessThan": "24355fcb0d4cbcb6ddda262596558e8cfba70f11",
              "status": "affected",
              "version": "8b3046abc99eefe11438090bcc4ec3a3994b55d0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath9k/htc.h",
            "drivers/net/wireless/ath/ath9k/htc_drv_init.c",
            "drivers/net/wireless/ath/ath9k/htc_drv_txrx.c",
            "drivers/net/wireless/ath/ath9k/wmi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.214",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete\n\nThe ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data\nstructures have been fully initialised by the time it runs. However, because of\nthe order in which things are initialised, this is not guaranteed to be the\ncase, because the device is exposed to the USB subsystem before the ath9k driver\ninitialisation is completed.\n\nWe already committed a partial fix for this in commit:\n8b3046abc99e (\"ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()\")\n\nHowever, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event\ntasklet, pairing it with an \"initialisation complete\" bit in the TX struct. It\nseems syzbot managed to trigger the race for one of the other commands as well,\nso let\u0027s just move the existing synchronisation bit to cover the whole\ntasklet (setting it at the end of ath9k_htc_probe_device() instead of inside\nath9k_tx_init())."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:49:44.179Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90"
        },
        {
          "url": "https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715"
        },
        {
          "url": "https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b"
        },
        {
          "url": "https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11"
        }
      ],
      "title": "wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26897",
    "datePublished": "2024-04-17T10:27:47.842Z",
    "dateReserved": "2024-02-19T14:20:24.186Z",
    "dateUpdated": "2024-12-19T08:49:44.179Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26897\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-17T11:15:10.773\",\"lastModified\":\"2024-11-21T09:03:19.780\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete\\n\\nThe ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data\\nstructures have been fully initialised by the time it runs. However, because of\\nthe order in which things are initialised, this is not guaranteed to be the\\ncase, because the device is exposed to the USB subsystem before the ath9k driver\\ninitialisation is completed.\\n\\nWe already committed a partial fix for this in commit:\\n8b3046abc99e (\\\"ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()\\\")\\n\\nHowever, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event\\ntasklet, pairing it with an \\\"initialisation complete\\\" bit in the TX struct. It\\nseems syzbot managed to trigger the race for one of the other commands as well,\\nso let\u0027s just move the existing synchronisation bit to cover the whole\\ntasklet (setting it at the end of ath9k_htc_probe_device() instead of inside\\nath9k_tx_init()).\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath9k: retrasa todo ath9k_wmi_event_tasklet() hasta que se complete el inicio. El ath9k_wmi_event_tasklet() usado en ath9k_htc supone que todas las estructuras de datos se han inicializado por completo en el momento de su ejecuci\u00f3n. Sin embargo, debido al orden en que se inicializan las cosas, no se garantiza que este sea el caso, porque el dispositivo queda expuesto al subsistema USB antes de que se complete la inicializaci\u00f3n del controlador ath9k. Ya cometimos una soluci\u00f3n parcial para esto en la confirmaci\u00f3n: 8b3046abc99e (\\\"ath9k_htc: corrige la desreferencia del puntero NULL en ath9k_htc_tx_get_packet()\\\") Sin embargo, esa confirmaci\u00f3n solo abort\u00f3 el comando WMI_TXSTATUS_EVENTID en el tasklet de eventos, emparej\u00e1ndolo con un bit de \\\"inicializaci\u00f3n completa\\\" en la estructura TX. Parece que syzbot tambi\u00e9n logr\u00f3 activar la carrera para uno de los otros comandos, as\u00ed que simplemente movamos el bit de sincronizaci\u00f3n existente para cubrir todo el tasklet (configur\u00e1ndolo al final de ath9k_htc_probe_device() en lugar de dentro de ath9k_tx_init()).\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.