CVE-2021-47065

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47065
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47065.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47065
Related
Published
2024-02-29T23:15:08Z
Modified
2024-09-18T01:00:20Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

rtw88: Fix array overrun in rtwgettxpowerparams()

Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the following array overrun is logged:

================================================================================ UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34 index 5 is out of range for type 'u8 [5]' CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651 Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014 Workqueue: phy0 ieee80211scanwork [mac80211] Call Trace: dumpstack+0x64/0x7c ubsanepilogue+0x5/0x40 _ubsanhandleoutofbounds.cold+0x43/0x48 rtwgettxpowerparams+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtwcore] ? rtwpciread16+0x20/0x20 [rtwpci] ? checkhwready+0x50/0x90 [rtwcore] rtwphygettxpowerindex+0x4d/0xd0 [rtwcore] rtwphysettxpowerlevel+0xee/0x1b0 [rtwcore] rtwsetchannel+0xab/0x110 [rtwcore] rtwopsconfig+0x87/0xc0 [rtwcore] ieee80211hwconfig+0x9d/0x130 [mac80211] ieee80211scanstatesetchannel+0x81/0x170 [mac80211] ieee80211scanwork+0x19f/0x2a0 [mac80211] processonework+0x1dd/0x3a0 workerthread+0x49/0x330 ? rescuerthread+0x3a0/0x3a0 kthread+0x134/0x150 ? kthreadcreateworkeroncpu+0x70/0x70

retfromfork+0x22/0x30

The statement where an array is being overrun is shown in the following snippet:

if (rate <= DESC_RATE11M)
    tx_power = pwr_idx_2g->cck_base[group];
else

====> txpower = pwridx2g->bw40base[group];

The associated arrays are defined in main.h as follows:

struct rtw2gtxpwridx { u8 cckbase[6]; u8 bw40base[5]; struct rtw2g1spwridxdiff ht1sdiff; struct rtw2gnspwridxdiff ht2sdiff; struct rtw2gnspwridxdiff ht3sdiff; struct rtw2gnspwridxdiff ht4s_diff; };

The problem arises because the value of group is 5 for channel 14. The trivial increase in the dimension of bw40base fails as this struct must match the layout of efuse. The fix is to add the rate as an argument to rtwgetchannelgroup() and set the group for channel 14 to 4 if rate <= DESC_RATE11M.

This patch fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines")

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}