CVE-2024-26892: wifi: mt76: mt7921e: fix use-after-free in free_irq()
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921e: fix use-after-free in freeirq()
From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76REMOVED flag to indicate the device was removed and do not run into the resource access anymore.
BUG: KASAN: use-after-free in mt7921irqhandler+0xd8/0x100 [mt7921e] Read of size 8 at addr ffff88824a7d3b78 by task rmmod/11115 CPU: 28 PID: 11115 Comm: rmmod Tainted: G W L 5.17.0 #10 Hardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I EDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024 Call Trace: dumpstacklvl+0x6f/0xa0 printaddressdescription.constprop.0+0x1f/0x190 ? mt7921irqhandler+0xd8/0x100 [mt7921e] ? mt7921irqhandler+0xd8/0x100 [mt7921e] kasanreport.cold+0x7f/0x11b ? mt7921irqhandler+0xd8/0x100 [mt7921e] mt7921irqhandler+0xd8/0x100 [mt7921e] freeirq+0x627/0xaa0 devmfreeirq+0x94/0xd0 ? devmrequestanycontextirq+0x160/0x160 ? kobjectput+0x18d/0x4a0 mt7921pciremove+0x153/0x190 [mt7921e] pcideviceremove+0xa2/0x1d0 devicereleasedriver+0x346/0x6e0 driverdetach+0x1ef/0x2c0 busremovedriver+0xe7/0x2d0 ? checkobjectsize+0x57/0x310 pciunregisterdriver+0x26/0x250 dosysdeletemodule+0x307/0x510 ? freemodule+0x6a0/0x6a0 ? fpregsassertstateconsistent+0x4b/0xb0 ? rcureadlockschedheld+0x10/0x70 ? syscallenterfromusermode+0x20/0x70 ? tracehardirqson+0x1c/0x130 dosyscall64+0x5c/0x80 ? tracehardirqsonprepare+0x72/0x160 ? dosyscall64+0x68/0x80 ? tracehardirqsonprepare+0x72/0x160 entrySYSCALL64afterhwframe+0x44/0xae
Other sources
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921e: fix use-after-free in freeirq()
From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76REMOVED flag to indicate the device was removed and do not run into the resource access anymore.
BUG: KASAN: use-after-free in mt7921irqhandler+0xd8/0x100 [mt7921e] Read of size 8 at addr ffff88824a7d3b78 by task rmmod/11115 CPU: 28 PID: 11115 Comm: rmmod Tainted: G W L 5.17.0 #10 Hardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I EDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024 Call Trace: <TASK> dumpstacklvl+0x6f/0xa0 printaddressdescription.constprop.0+0x1f/0x190 ? mt7921irqhandler+0xd8/0x100 [mt7921e] ? mt7921irqhandler+0xd8/0x100 [mt7921e] kasanreport.cold+0x7f/0x11b ? mt7921irqhandler+0xd8/0x100 [mt7921e] mt7921irqhandler+0xd8/0x100 [mt7921e] freeirq+0x627/0xaa0 devmfreeirq+0x94/0xd0 ? devmrequestanycontextirq+0x160/0x160 ? kobjectput+0x18d/0x4a0 mt7921pciremove+0x153/0x190 [mt7921e] pcideviceremove+0xa2/0x1d0 devicereleasedriver+0x346/0x6e0 driverdetach+0x1ef/0x2c0 busremovedriver+0xe7/0x2d0 ? checkobjectsize+0x57/0x310 pciunregisterdriver+0x26/0x250 dosysdeletemodule+0x307/0x510 ? freemodule+0x6a0/0x6a0 ? fpregsassertstateconsistent+0x4b/0xb0 ? rcureadlockschedheld+0x10/0x70 ? syscallenterfromusermode+0x20/0x70 ? tracehardirqson+0x1c/0x130 dosyscall64+0x5c/0x80 ? tracehardirqsonprepare+0x72/0x160 ? dosyscall64+0x68/0x80 ? tracehardirqsonprepare+0x72/0x160 entrySYSCALL64afterhwframe+0x44/0xae
— NVD
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921e: fix use-after-free in freeirq()
The Linux kernel CVE team has assigned CVE-2024-26892 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024041743-CVE-2024-26892-809e@gregkh/T
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-26892?
CVE-2024-26892 has been assessed as a medium-severity vulnerability due to potential use-after-free issues in the Linux kernel.
How do I fix CVE-2024-26892?
To fix CVE-2024-26892, update your Linux kernel to versions 6.6.23, 6.7.11, 6.8.2, or 6.9, or apply the relevant patches recommended by your distribution.
Which Linux kernel versions are affected by CVE-2024-26892?
CVE-2024-26892 affects Linux kernel versions prior to 6.6.23, 6.7.11, 6.8.2, and 6.9.
What component of the Linux kernel does CVE-2024-26892 impact?
CVE-2024-26892 impacts the Wi-Fi driver mt76, specifically the mt7921e component in the Linux kernel.
Is CVE-2024-26892 related to IRQ handling issues?
Yes, CVE-2024-26892 addresses a use-after-free vulnerability found during the free_irq() operation in the context of shared IRQ handlers.