{ "threat_severity" : "Moderate", "public_date" : "2024-08-26T00:00:00Z", "bugzilla" : { "description" : "kernel: wifi: mac80211: fix NULL dereference at band check in starting tx ba session", "id" : "2307884", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2307884" }, "cvss3" : { "cvss3_base_score" : "5.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\nIn MLD connection, link_data/link_conf are dynamically allocated. They\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\nht_supported/vht_supported/has_he/has_eht on sta deflink.\nCrash log (with rtw89 version under MLO development):\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 9890.526102] #PF: supervisor read access in kernel mode\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\n[ 9890.526109] PGD 0 P4D 0\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\nAll code\n========\n0:f7 e8 imul %eax\n2:d5 (bad)\n3:93 xchg %eax,%ebx\n4:3e ea ds (bad)\n6:48 83 c4 28 add $0x28,%rsp\na:89 d8 mov %ebx,%eax\nc:5b pop %rbx\nd:41 5c pop %r12\nf:41 5d pop %r13\n11:41 5e pop %r14\n13:41 5f pop %r15\n15:5d pop %rbp\n16:c3 retq\n17:cc int3\n18:cc int3\n19:cc int3\n1a:cc int3\n1b:49 8b 84 24 e0 f1 ff mov -0xe20(%r12),%rax\n22:ff\n23:48 8b 80 90 1b 00 00 mov 0x1b90(%rax),%rax\n2a:*83 38 03 cmpl $0x3,(%rax)<-- trapping instruction\n2d:0f 84 37 fe ff ff je 0xfffffffffffffe6a\n33:bb ea ff ff ff mov $0xffffffea,%ebx\n38:eb cc jmp 0x6\n3a:49 rex.WB\n3b:8b .byte 0x8b\n3c:84 24 10 test %ah,(%rax,%rdx,1)\n3f:f3 repz\nCode starting with the faulting instruction\n===========================================\n0:83 38 03 cmpl $0x3,(%rax)\n3:0f 84 37 fe ff ff je 0xfffffffffffffe40\n9:bb ea ff ff ff mov $0xffffffea,%ebx\ne:eb cc jmp 0xffffffffffffffdc\n10:49 rex.WB\n11:8b .byte 0x8b\n12:84 24 10 test %ah,(%rax,%rdx,1)\n15:f3 repz\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\n[ 9890.526321] Call Trace:\n[ 9890.526324] \n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\n---truncated---", "linux wifi mac80211 connection link_data allocations can result in null pointer dereferencing." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-43911\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-43911\nhttps://lore.kernel.org/linux-cve-announce/2024082631-CVE-2024-43911-96bb@gregkh/T" ], "name" : "CVE-2024-43911", "csaw" : false }