In the Linux kernel, the following vulnerability has been resolved:
rtw88: Fix array overrun in rtw_get_tx_power_params()
Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the
following array overrun is logged:
The statement where an array is being overrun is shown in the following snippet:
if (rate <= DESC_RATE11M)
tx_power = pwr_idx_2g->cck_base[group];
else
====> tx_power = pwr_idx_2g->bw40_base[group];
The associated arrays are defined in main.h as follows:
struct rtw_2g_txpwr_idx {
u8 cck_base[6];
u8 bw40_base[5];
struct rtw_2g_1s_pwr_idx_diff ht_1s_diff;
struct rtw_2g_ns_pwr_idx_diff ht_2s_diff;
struct rtw_2g_ns_pwr_idx_diff ht_3s_diff;
struct rtw_2g_ns_pwr_idx_diff ht_4s_diff;
};
The problem arises because the value of group is 5 for channel 14. The trivial
increase in the dimension of bw40_base fails as this struct must match the layout of
efuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set
the group for channel 14 to 4 if rate <= DESC_RATE11M.
This patch fixes commit fa6dfe6bff24 (“rtw88: resolve order of tx power setting routines”)
git.kernel.org/stable/c/2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e
git.kernel.org/stable/c/5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a
git.kernel.org/stable/c/6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb
git.kernel.org/stable/c/95fb153c6027924cda3422120169d1890737f3a0
git.kernel.org/stable/c/9cd09722e18a08b6a3d68b8bccfac39ddc22434c