Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistLinuxCVELIST:CVE-2024-46760
HistorySep 18, 2024 - 7:12 a.m.

CVE-2024-46760 wifi: rtw88: usb: schedule rx work after everything is set up

2024-09-1807:12:19
Linux
www.cve.org
linux kernel
vulnerability
rtw88
usb
rx work

EPSS

0

Percentile

16.4%

JSON

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw88: usb: schedule rx work after everything is set up

Right now it’s possible to hit NULL pointer dereference in
rtw_rx_fill_rx_status on hw object and/or its fields because
initialization routine can start getting USB replies before
rtw_dev is fully setup.

The stack trace looks like this:

rtw_rx_fill_rx_status
rtw8821c_query_rx_desc
rtw_usb_rx_handler

queue_work
rtw_usb_read_port_complete

usb_submit_urb
rtw_usb_rx_resubmit
rtw_usb_init_rx
rtw_usb_probe

So while we do the async stuff rtw_usb_probe continues and calls
rtw_register_hw, which does all kinds of initialization (e.g.
via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on.

Fix this by moving the first usb_submit_urb after everything
is set up.

For me, this bug manifested as:
[ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped
[ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status
because I’m using Larry’s backport of rtw88 driver with the NULL
checks in rtw_rx_fill_rx_status.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/wireless/realtek/rtw88/usb.c"
    ],
    "versions": [
      {
        "version": "1da177e4c3f4",
        "lessThan": "c83d464b82a8",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1da177e4c3f4",
        "lessThan": "25eaef533bf3",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1da177e4c3f4",
        "lessThan": "adc539784c98",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/wireless/realtek/rtw88/usb.c"
    ],
    "versions": [
      {
        "version": "6.6.51",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10.10",
        "lessThanOrEqual": "6.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.11",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Related

debiancve 1
osv 1
cve 1
nvd 1
debiancve
debiancve
CVE-2024-46760
2024-09-18 08:15:04
osv
osv
CVE-2024-46760
2024-09-18 08:15:04
cve
cve
CVE-2024-46760
2024-09-18 08:15:04
nvd
nvd
CVE-2024-46760
2024-09-18 08:15:04

EPSS

0

Percentile

16.4%

JSON
Related for CVELIST:CVE-2024-46760
debiancve1osv1cve1nvd1