CVE-2023-54300

The vulnerability resides in the Linux kernel's ath9k wireless driver, specifically in the ath9k_wmi_ctrl_rx() function. This function is responsible for handling WMI control messages received from the wireless chipset. The issue is that it fails to validate the packet length (pkt_len) before accessing memory beyond the expected header. As noted in the related commit b383e8abed41, the same class of problem exists in ath9k_htc_rx_msg(), where a crafted packet with a small pkt_len (e.g., 8 bytes) can cause the driver to read past the valid data into uninitialized memory [1][2][3].

Exploitation is possible when an attacker sends a specially crafted wireless frame to a device using the ath9k_htc driver (e.g., AR9271). The frame must be constructed such that the htc_frame_hdr is valid but the payload is insufficient to contain the expected WMI command header. When ath9k_htc_rx_msg() processes the frame and passes it to ath9k_wmi_ctrl_rx(), the latter attempts to parse a WMI command without first confirming that enough data is present. This results in the driver referencing memory that has not been properly initialized.

The impact is limited to information disclosure via uninitialized memory access. An attacker could potentially read sensitive kernel memory content, though the exact scope depends on the kernel configuration and memory state. The vulnerability does not provide arbitrary code execution on its own, but combined with other weaknesses it could aid in privilege escalation. The issue was discovered by the Linux Verification Center (linuxtesting.org) using Syzkaller.

Patches have been applied to the Linux kernel stable branches [1][2][3]. The fix adds a sanity check on the packet length inside ath9k_wmi_ctrl_rx(), ensuring that sufficient data is available before processing. Users are advised to update their kernels to the latest stable release that includes the commit. No workaround is available other than applying the patch.