Ubuntu.comUB:CVE-2021-47065CVE-2021-47065
In the Linux kernel, the following vulnerability has been resolved: rtw88:
Fix array overrun in rtw_get_tx_power_params() Using a kernel with the
Undefined Behaviour Sanity Checker (UBSAN) enabled, the following array
overrun is logged:
UBSAN: array-index-out-of-bounds in
/home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34
index 5 is out of range for type ‘u8 [5]’ CPU: 2 PID: 84 Comm:
kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651
Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50
09/29/2014 Workqueue: phy0 ieee80211_scan_work [mac80211] Call Trace:
dump_stack+0x64/0x7c ubsan_epilogue+0x5/0x40
__ubsan_handle_out_of_bounds.cold+0x43/0x48
rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0
[rtw_core] ? rtw_pci_read16+0x20/0x20 [rtw_pci] ? check_hw_ready+0x50/0x90
[rtw_core] rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core]
rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core] rtw_set_channel+0xab/0x110
[rtw_core] rtw_ops_config+0x87/0xc0 [rtw_core]
ieee80211_hw_config+0x9d/0x130 [mac80211]
ieee80211_scan_state_set_channel+0x81/0x170 [mac80211]
ieee80211_scan_work+0x19f/0x2a0 [mac80211] process_one_work+0x1dd/0x3a0
worker_thread+0x49/0x330 ? rescuer_thread+0x3a0/0x3a0 kthread+0x134/0x150 ?
kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x22/0x30
The statement where an array is being overrun is shown in the following
snippet: if (rate <= DESC_RATE11M) tx_power = pwr_idx_2g->cck_base[group];
else ====> tx_power = pwr_idx_2g->bw40_base[group]; The associated arrays
are defined in main.h as follows: struct rtw_2g_txpwr_idx { u8 cck_base[6];
u8 bw40_base[5]; struct rtw_2g_1s_pwr_idx_diff ht_1s_diff; struct
rtw_2g_ns_pwr_idx_diff ht_2s_diff; struct rtw_2g_ns_pwr_idx_diff
ht_3s_diff; struct rtw_2g_ns_pwr_idx_diff ht_4s_diff; }; The problem arises
because the value of group is 5 for channel 14. The trivial increase in the
dimension of bw40_base fails as this struct must match the layout of efuse.
The fix is to add the rate as an argument to rtw_get_channel_group() and
set the group for channel 14 to 4 if rate <= DESC_RATE11M. This patch fixes
commit fa6dfe6bff24 (“rtw88: resolve order of tx power setting routines”)
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
| ubuntu | 18.04 | noarch | linux-azure-5.4 | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-bluefield | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-gcp | < any | UNKNOWN |
| ubuntu | 18.04 | noarch | linux-gcp-5.4 | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-gkeop | < any | UNKNOWN |
| ubuntu | 18.04 | noarch | linux-hwe-5.4 | < any | UNKNOWN |
Related
