In the Linux kernel, the following vulnerability has been resolved:

rtw88: Fix array overrun in rtwgettxpowerparams()

Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the following array overrun is logged:

================================================================================ UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34 index 5 is out of range for type 'u8 [5]' CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651 Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014 Workqueue: phy0 ieee80211scanwork [mac80211] Call Trace: dumpstack+0x64/0x7c ubsanepilogue+0x5/0x40 _ubsanhandleoutofbounds.cold+0x43/0x48 rtwgettxpowerparams+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtwcore] ? rtwpciread16+0x20/0x20 [rtwpci] ? checkhwready+0x50/0x90 [rtwcore] rtwphygettxpowerindex+0x4d/0xd0 [rtwcore] rtwphysettxpowerlevel+0xee/0x1b0 [rtwcore] rtwsetchannel+0xab/0x110 [rtwcore] rtwopsconfig+0x87/0xc0 [rtwcore] ieee80211hwconfig+0x9d/0x130 [mac80211] ieee80211scanstatesetchannel+0x81/0x170 [mac80211] ieee80211scanwork+0x19f/0x2a0 [mac80211] processonework+0x1dd/0x3a0 workerthread+0x49/0x330 ? rescuerthread+0x3a0/0x3a0 kthread+0x134/0x150 ? kthreadcreateworkeroncpu+0x70/0x70

retfromfork+0x22/0x30

The statement where an array is being overrun is shown in the following snippet:

if (rate <= DESC_RATE11M)
    tx_power = pwr_idx_2g->cck_base[group];
else

====> txpower = pwridx2g->bw40base[group];

The associated arrays are defined in main.h as follows:

struct rtw2gtxpwridx { u8 cckbase[6]; u8 bw40base[5]; struct rtw2g1spwridxdiff ht1sdiff; struct rtw2gnspwridxdiff ht2sdiff; struct rtw2gnspwridxdiff ht3sdiff; struct rtw2gnspwridxdiff ht4s_diff; };

The problem arises because the value of group is 5 for channel 14. The trivial increase in the dimension of bw40base fails as this struct must match the layout of efuse. The fix is to add the rate as an argument to rtwgetchannelgroup() and set the group for channel 14 to 4 if rate <= DESC_RATE11M.

This patch fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines")