Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() When peer delete failed in a disconnect operation, use-after-free detected by KFENCE in below log. It is because for each vdev_id and address, it has only one struct ath10k_peer, it is allocated in ath10k_peer_map_event(). When connected to an AP, it has more than one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the array peer_map of struct ath10k will be set muti-elements to the same ath10k_peer in ath10k_peer_map_event(). When peer delete failed in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer id in array peer_map of struct ath10k, and then use-after-free happened for the 2nd peer id because they map to the same ath10k_peer. And clean up all peers in array peer_map for the ath10k_peer, then user-after-free disappeared peer map event log: [ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e [ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 [ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166 peer unmap event log: [ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) [ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) [ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166 use-after-free log: [21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) [21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 [21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed [21713.799968] ================================================================== [21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.799991] [21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): [21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.800041] drv_sta_state+0x115/0x677 [mac80211] [21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] [21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] [21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] [21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] [21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] [21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] [21713.800161] genl_rcv_msg+0x38e/0x3be [21713.800166] netlink_rcv_skb+0x89/0xf7 [21713.800171] genl_rcv+0x28/0x36 [21713.800176] netlink_unicast+0x179/0x24b [21713.800181] netlink_sendmsg+0x3a0/0x40e [21713.800187] sock_sendmsg+0x72/0x76 [21713.800192] ____sys_sendmsg+0x16d/0x1e3 [21713.800196] ___sys_sendmsg+0x95/0xd1 [21713.800200] __sys_sendmsg+0x85/0xbf [21713.800205] do_syscall_64+0x43/0x55 [21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [21713.800213] [21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k [21713.800219] [21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: [21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] [21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] [21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] [21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] [21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d ---truncated---
Details
Affected Packages
| Software | From version | Fixed in |
|---|---|---|
| linux | — | 5.15.0-60.66 |
| linux-allwinner-5.19 | — | — |
| linux-aws | — | 5.15.0-1030.34 |
| linux-aws-5.0 | — | — |
| linux-aws-5.11 | — | — |
| linux-aws-5.13 | — | — |
| linux-aws-5.15 | — | 5.15.0-1030.34~20.04.1 |
| linux-aws-5.19 | — | — |
| linux-aws-5.3 | — | — |
| linux-aws-5.4 | — | 5.4.0-1096.104~18.04.1 |
| linux-aws-5.8 | — | — |
| linux-aws-6.2 | — | — |
| linux-aws-6.5 | — | — |
| linux-aws-fips | — | — |
| linux-aws-hwe | — | 4.15.0-1151.164~16.04.1 |
| linux-azure | — | 5.15.0-1033.40 |
| linux-azure-4.15 | — | 4.15.0-1161.176 |
| linux-azure-5.11 | — | — |
| linux-azure-5.13 | — | — |
| linux-azure-5.15 | — | 5.15.0-1033.40~20.04.1 |
| linux-azure-5.19 | — | — |
| linux-azure-5.3 | — | — |
| linux-azure-5.4 | — | 5.4.0-1103.109~18.04.1 |
| linux-azure-5.8 | — | — |
| linux-azure-6.11 | — | — |
| linux-azure-6.2 | — | — |
| linux-azure-6.5 | — | — |
| linux-azure-edge | — | — |
| linux-azure-fde | — | — |
| linux-azure-fde-5.19 | — | — |
| linux-azure-fde-6.2 | — | — |
| linux-azure-fips | — | — |
| linux-bluefield | — | — |
| linux-fips | — | — |
| linux-gcp | — | 5.15.0-1029.36 |
| linux-gcp-4.15 | — | 4.15.0-1145.161 |
| linux-gcp-5.11 | — | — |
| linux-gcp-5.13 | — | — |
| linux-gcp-5.15 | — | 5.15.0-1029.36~20.04.1 |
| linux-gcp-5.19 | — | — |
| linux-gcp-5.3 | — | — |
| linux-gcp-5.4 | — | 5.4.0-1100.109~18.04.1 |
| linux-gcp-5.8 | — | — |
| linux-gcp-6.11 | — | — |
| linux-gcp-6.2 | — | — |
| linux-gcp-6.5 | — | — |
| linux-gcp-fips | — | — |
| linux-gke | — | 5.15.0-1027.32 |
| linux-gke-4.15 | — | — |
| linux-gke-5.15 | — | — |
| linux-gke-5.4 | — | — |
| linux-gkeop | — | 5.15.0-1015.19 |
| linux-gkeop-5.15 | — | — |
| linux-gkeop-5.4 | — | — |
| linux-hwe | — | — |
| linux-hwe-5.11 | — | — |
| linux-hwe-5.13 | — | — |
| linux-hwe-5.15 | — | 5.15.0-60.66~20.04.1 |
| linux-hwe-5.19 | — | — |
| linux-hwe-5.4 | — | 5.4.0-139.156~18.04.1 |
| linux-hwe-5.8 | — | — |
| linux-hwe-6.11 | — | — |
| linux-hwe-6.2 | — | — |
| linux-hwe-6.5 | — | — |
| linux-hwe-edge | — | — |
| linux-ibm | — | 5.15.0-1025.28 |
| linux-ibm-5.4 | — | 5.4.0-1044.49~18.04.1 |
| linux-intel-5.13 | — | — |
| linux-intel-iot-realtime | — | — |
| linux-intel-iotg | — | 5.15.0-1025.30 |
| linux-intel-iotg-5.15 | — | 5.15.0-1025.30~20.04.1 |
| linux-iot | — | 5.4.0-1012.14 |
| linux-kvm | — | 5.15.0-1028.33 |
| linux-lowlatency | — | 5.15.0-60.66 |
| linux-lowlatency-hwe-5.15 | — | 5.15.0-60.66~20.04.1 |
| linux-lowlatency-hwe-5.19 | — | — |
| linux-lowlatency-hwe-6.11 | — | — |
| linux-lowlatency-hwe-6.2 | — | — |
| linux-lowlatency-hwe-6.5 | — | — |
| linux-nvidia | — | 5.15.0-1017.17 |
| linux-nvidia-6.11 | — | — |
| linux-nvidia-6.2 | — | — |
| linux-nvidia-6.5 | — | — |
| linux-oem | — | — |
| linux-oem-5.10 | — | — |
| linux-oem-5.13 | — | — |
| linux-oem-5.14 | — | — |
| linux-oem-5.17 | — | — |
| linux-oem-5.6 | — | — |
| linux-oem-6.0 | — | — |
| linux-oem-6.1 | — | — |
| linux-oem-6.11 | — | — |
| linux-oem-6.5 | — | — |
| linux-oem-6.8 | — | — |
| linux-oracle | — | 5.15.0-1029.35 |
| linux-oracle-5.0 | — | — |
| linux-oracle-5.11 | — | — |
| linux-oracle-5.13 | — | — |
| linux-oracle-5.15 | — | 5.15.0-1029.35~20.04.1 |
| linux-oracle-5.3 | — | — |
| linux-oracle-5.4 | — | 5.4.0-1093.102~18.04.1 |
| linux-oracle-5.8 | — | — |
| linux-oracle-6.5 | — | — |
| linux-raspi | — | 5.15.0-1024.26 |
| linux-raspi-5.4 | — | 5.4.0-1080.91~18.04.1 |
| linux-raspi-realtime | — | — |
| linux-raspi2 | — | — |
| linux-realtime | — | — |
| linux-riscv | — | — |
| linux-riscv-5.11 | — | — |
| linux-riscv-5.15 | — | 5.15.0-1029.33~20.04.1 |
| linux-riscv-5.19 | — | — |
| linux-riscv-5.8 | — | — |
| linux-riscv-6.14 | — | — |
| linux-riscv-6.5 | — | — |
| linux-starfive-5.19 | — | — |
| linux-starfive-6.2 | — | — |
| linux-starfive-6.5 | — | — |
| linux-xilinx-zynqmp | — | 5.4.0-1021.25 |
References
Similar Threats
- Unknown CGA-23jx-hhcx-m389
- Unknown CGA-2qp7-6757-fmgc
- Unknown CGA-2rj5-jc55-r267
- Unknown CGA-3m96-cwq8-6xmx
- Unknown CGA-3qj9-973w-fh9g
Patch Gap Protection
Running software with known vulnerabilities?
BotEraser can help reduce exposure by blocking IPs associated with exploit activity — even before a patch is available.
Start Free →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.