The bug is inside the driver's code of MediaTek MT7921 802.11ax PCI Express Wireless Network Adapter. When the driver requests some hardware properties of a MT7921 device attached, it may refer to a memory that has already been deallocated.
The bug was finally registered as a CVE-2023-3317 and existed inside the mt7921_check_offload_capability function. This function gets called when a computer with a MT7921 device attached is booted, or when it is attached to a running machine. In either case, the code requests device properties by getting access to MT7921's buffers via Linux's firmware API. Under the hood the kernel access firmware files and allocated all memory required. By the end of that function, the code releases the firmware that in turn frees memory previously allocated, and but references one byte belonging to the deallocated memory after the release but before returning from the function:
The simplified pattern looks like this (leaving only important lines for the sake of illustration):
features = (struct mt7921_fw_features *)data;...
release_firmware(fw);...
return features ? features->data : 0;
The features->data expression may reference memory already deallocated by release_firmware.
Corrected code from 6.2.15 uses temporary variable to copy the necessary byte on-the-fly:
features = (struct mt7921_fw_features *)data;offload_caps = features->data;
Finally the offload_caps is safely returned.
Useful Links