Memory leaks in the kernels implementation of Host/Target communications of the atheros wifi driver in the Linux kernel which allows a local attacker to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures during device initialisation or USB device probing. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function. Upstream Reference: https://github.com/torvalds/linux/commit/853acf7caf10b828102d92d05b5c101666a6142b
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1774939]
This is a memory leak, and it appears that the total leak size is a once-off leak of 768 bytes (sizeof(struct sk_buff)) each time the module is loaded. Loading and unloading the module requires administrative privileges, and is not something that a regular, non-privileged user can do. Even with physical access to plug/unplug the device, it still requires the module to be unloaded and loaded again, and not simply for the device to detach/reattach with the existing module, to trigger a new leak.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1567 https://access.redhat.com/errata/RHSA-2020:1567
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1769 https://access.redhat.com/errata/RHSA-2020:1769
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19073