{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-12T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: cfg80211: Lock wiphy in cfg80211_get_station",
    "id" : "2297495",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297495"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: cfg80211: Lock wiphy in cfg80211_get_station\nWiphy should be locked before calling rdev_get_station() (see lockdep\nassert in ieee80211_get_station()).\nThis fixes the following kernel NULL dereference:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000050\nMem abort info:\nESR = 0x0000000096000006\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x06: level 2 translation fault\nData abort info:\nISV = 0, ISS = 0x00000006\nCM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000\n[0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] SMP\nModules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath\nCPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705\nHardware name: RPT (r1) (DT)\nWorkqueue: bat_events batadv_v_elp_throughput_metric_update\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\nlr : sta_set_sinfo+0xcc/0xbd4\nsp : ffff000007b43ad0\nx29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98\nx26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000\nx23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc\nx20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000\nx17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d\nx14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e\nx11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000\nx8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000\nx5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90\nx2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000\nCall trace:\nath10k_sta_statistics+0x10/0x2dc [ath10k_core]\nsta_set_sinfo+0xcc/0xbd4\nieee80211_get_station+0x2c/0x44\ncfg80211_get_station+0x80/0x154\nbatadv_v_elp_get_throughput+0x138/0x1fc\nbatadv_v_elp_throughput_metric_update+0x1c/0xa4\nprocess_one_work+0x1ec/0x414\nworker_thread+0x70/0x46c\nkthread+0xdc/0xe0\nret_from_fork+0x10/0x20\nCode: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)\nThis happens because STA has time to disconnect and reconnect before\nbatadv_v_elp_throughput_metric_update() delayed work gets scheduled. In\nthis situation, ath10k_sta_state() can be in the middle of resetting\narsta data when the work queue get chance to be scheduled and ends up\naccessing it. Locking wiphy prevents that.", "A vulnerability was found in the Linux kernel in wifi driver in cfg80211_get_station function, where the wiphy was not locked before calling rdev_get_station(), which lead to a NULL pointer dereference when a station disconnects and reconnects during a work queue operation, resulting in a kernel panic." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7001",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7000",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.22.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-28T00:00:00Z",
    "advisory" : "RHSA-2024:5928",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.33.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-28T00:00:00Z",
    "advisory" : "RHSA-2024:5928",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.33.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40911\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40911\nhttps://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40911-2382@gregkh/T" ],
  "name" : "CVE-2024-40911",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}