AI Score
Confidence
Low
EPSS
Percentile
15.5%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
In the Linux kernel, the following vulnerability has been resolved:
rtw88: Fix array overrun in rtw_get_tx_power_params()
Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the
following array overrun is logged:
The statement where an array is being overrun is shown in the following snippet:
if (rate <= DESC_RATE11M)
tx_power = pwr_idx_2g->cck_base[group];
else
====> tx_power = pwr_idx_2g->bw40_base[group];
The associated arrays are defined in main.h as follows:
struct rtw_2g_txpwr_idx {
u8 cck_base[6];
u8 bw40_base[5];
struct rtw_2g_1s_pwr_idx_diff ht_1s_diff;
struct rtw_2g_ns_pwr_idx_diff ht_2s_diff;
struct rtw_2g_ns_pwr_idx_diff ht_3s_diff;
struct rtw_2g_ns_pwr_idx_diff ht_4s_diff;
};
The problem arises because the value of group is 5 for channel 14. The trivial
increase in the dimension of bw40_base fails as this struct must match the layout of
efuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set
the group for channel 14 to 4 if rate <= DESC_RATE11M.
This patch fixes commit fa6dfe6bff24 (“rtw88: resolve order of tx power setting routines”)
[
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "fa6dfe6bff24",
"lessThan": "6b5aa0cf321c",
"versionType": "git"
},
{
"status": "affected",
"version": "fa6dfe6bff24",
"lessThan": "95fb153c6027",
"versionType": "git"
},
{
"status": "affected",
"version": "fa6dfe6bff24",
"lessThan": "5f3dbced8eaa",
"versionType": "git"
},
{
"status": "affected",
"version": "fa6dfe6bff24",
"lessThan": "9cd09722e18a",
"versionType": "git"
},
{
"status": "affected",
"version": "fa6dfe6bff24",
"lessThan": "2ff25985ea9c",
"versionType": "git"
}
],
"programFiles": [
"drivers/net/wireless/realtek/rtw88/phy.c"
],
"defaultStatus": "unaffected"
},
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"status": "unaffected",
"version": "0",
"lessThan": "5.3",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "5.4.119",
"versionType": "custom",
"lessThanOrEqual": "5.4.*"
},
{
"status": "unaffected",
"version": "5.10.37",
"versionType": "custom",
"lessThanOrEqual": "5.10.*"
},
{
"status": "unaffected",
"version": "5.11.21",
"versionType": "custom",
"lessThanOrEqual": "5.11.*"
},
{
"status": "unaffected",
"version": "5.12.4",
"versionType": "custom",
"lessThanOrEqual": "5.12.*"
},
{
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
],
"programFiles": [
"drivers/net/wireless/realtek/rtw88/phy.c"
],
"defaultStatus": "affected"
}
]
git.kernel.org/stable/c/2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e
git.kernel.org/stable/c/5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a
git.kernel.org/stable/c/6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb
git.kernel.org/stable/c/95fb153c6027924cda3422120169d1890737f3a0
git.kernel.org/stable/c/9cd09722e18a08b6a3d68b8bccfac39ddc22434c