Описание
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix dma_free_coherent() pointer
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
A flaw was found in the Linux kernel's ath12k wifi driver. A local attacker could exploit this vulnerability by triggering the device driver teardown path. The driver incorrectly passes aligned memory addresses to dma_free_coherent() instead of the original unaligned addresses during cleanup. This improper memory deallocation can lead to memory leaks, data corruption, or kernel crashes, ultimately resulting in a denial of service.
Отчет
A bug exists in the ath12k copy engine ring tear down path where dma_free_coherent is called with pointers that do not match those returned by dma_alloc_coherent. The driver allocates descriptor rings using dma_alloc_coherent and stores the original CPU and DMA addresses in base_addr_owner_space_unaligned and base_addr_ce_space_unaligned. It then derives aligned addresses for runtime use. During cleanup, the driver incorrectly passed the aligned CPU and DMA addresses to dma_free_coherent instead of the original unaligned values. The DMA API requires that the exact addresses returned by dma_alloc_coherent be used for freeing. Freeing with a shifted aligned pointer can result in invalid free behavior such as freeing the wrong address, memory leaks of DMA coherent memory, allocator metadata corruption, warnings, or kernel crashes. Because this occurs in a device driver teardown path, the most realistic impact is denial of service through kernel instability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses.
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses.
In the Linux kernel, the following vulnerability has been resolved: w ...
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses.
EPSS
6.1 Medium
CVSS3