CVE-2023-52611

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52611
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52611.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52611
Downstream
Related
Published
2024-03-18T10:07:46Z
Modified
2025-10-21T14:24:34.502929Z
Summary
wifi: rtw88: sdio: Honor the host max_req_size in the RX path
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw88: sdio: Honor the host maxreqsize in the RX path

Lukas reports skboverpanic errors on his Banana Pi BPI-CM4 which comes with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth combo card. The error he observed is identical to what has been fixed in commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RXREQUEST bit in rtwsdiorxisr()") but that commit didn't fix Lukas' problem.

Lukas found that disabling or limiting RX aggregation works around the problem for some time (but does not fully fix it). In the following discussion a few key topics have been discussed which have an impact on this problem: - The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller which prevents DMA transfers. Instead all transfers need to go through the controller SRAM which limits transfers to 1536 bytes - rtw88 chips don't split incoming (RX) packets, so if a big packet is received this is forwarded to the host in it's original form - rtw88 chips can do RX aggregation, meaning more multiple incoming packets can be pulled by the host from the card with one MMC/SDIO transfer. This Depends on settings in the REGRXDMAAGGPGTH register (BITRXDMAAGGPGTH limits the number of packets that will be aggregated, BITDMAAGGTOV1 configures a timeout for aggregation and BITENPRE_CALC makes the chip honor the limits more effectively)

Use multiple consecutive reads in rtwsdioreadport() and limit the number of bytes which are copied by the host from the card in one MMC/SDIO transfer. This allows receiving a buffer that's larger than the hosts maxreqsize (number of bytes which can be transferred in one MMC/SDIO transfer). As a result of this the skbover_panic error is gone as the rtw88 driver is now able to receive more than 1536 bytes from the card (either because the incoming packet is larger than that or because multiple packets have been aggregated).

In case of an receive errors (-EILSEQ has been observed by Lukas) we need to drain the remaining data from the card's buffer, otherwise the card will return corrupt data for the next rtwsdioread_port() call.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
65371a3f14e73979958aea0db1e3bb456a296149
Fixed
5b5ddf21b978ec315cab9d9e7e6ac7374791a8c7
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
65371a3f14e73979958aea0db1e3bb456a296149
Fixed
0e9ffff72a0674cd6656314dbd99cdd2123a3030
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
65371a3f14e73979958aea0db1e3bb456a296149
Fixed
00384f565a91c08c4bedae167f749b093d10e3fe

Affected versions

v6.*

v6.3
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b5ddf21b978ec315cab9d9e7e6ac7374791a8c7",
        "target": {
            "function": "rtw_sdio_read_port",
            "file": "drivers/net/wireless/realtek/rtw88/sdio.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "function_hash": "193756270758567225995149947133707436871",
            "length": 461.0
        },
        "id": "CVE-2023-52611-1ab6a958",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@00384f565a91c08c4bedae167f749b093d10e3fe",
        "target": {
            "file": "drivers/net/wireless/realtek/rtw88/sdio.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "310106624817032112787692262060748853245",
                "27014817485638970277766123605517336026",
                "188322286269543742526666563980351319104",
                "251190026077548914275215049974016215853",
                "247220272041616143995698655384945569998",
                "297574214470070367321380902025258095723",
                "49869514680174710082992133653580847583",
                "122907690113816689069154997325736322261",
                "145106799971706783916371440490155487436",
                "176851187783167525279912681811569318486",
                "4094867208857101196906439304194887706",
                "284298823645276761115094744939613386735",
                "202786544740072771393511056363721125787",
                "233398274336413712821239704430009234857",
                "193097417154775571233375566642948820668"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-52611-4bb1a648",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e9ffff72a0674cd6656314dbd99cdd2123a3030",
        "target": {
            "function": "rtw_sdio_read_port",
            "file": "drivers/net/wireless/realtek/rtw88/sdio.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "function_hash": "193756270758567225995149947133707436871",
            "length": 461.0
        },
        "id": "CVE-2023-52611-920d0234",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e9ffff72a0674cd6656314dbd99cdd2123a3030",
        "target": {
            "file": "drivers/net/wireless/realtek/rtw88/sdio.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "310106624817032112787692262060748853245",
                "27014817485638970277766123605517336026",
                "188322286269543742526666563980351319104",
                "251190026077548914275215049974016215853",
                "247220272041616143995698655384945569998",
                "297574214470070367321380902025258095723",
                "49869514680174710082992133653580847583",
                "122907690113816689069154997325736322261",
                "145106799971706783916371440490155487436",
                "176851187783167525279912681811569318486",
                "4094867208857101196906439304194887706",
                "284298823645276761115094744939613386735",
                "202786544740072771393511056363721125787",
                "233398274336413712821239704430009234857",
                "193097417154775571233375566642948820668"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-52611-9da1b8b8",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b5ddf21b978ec315cab9d9e7e6ac7374791a8c7",
        "target": {
            "file": "drivers/net/wireless/realtek/rtw88/sdio.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "310106624817032112787692262060748853245",
                "27014817485638970277766123605517336026",
                "188322286269543742526666563980351319104",
                "251190026077548914275215049974016215853",
                "247220272041616143995698655384945569998",
                "297574214470070367321380902025258095723",
                "49869514680174710082992133653580847583",
                "122907690113816689069154997325736322261",
                "145106799971706783916371440490155487436",
                "176851187783167525279912681811569318486",
                "4094867208857101196906439304194887706",
                "284298823645276761115094744939613386735",
                "202786544740072771393511056363721125787",
                "233398274336413712821239704430009234857",
                "193097417154775571233375566642948820668"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-52611-ac547c41",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@00384f565a91c08c4bedae167f749b093d10e3fe",
        "target": {
            "function": "rtw_sdio_read_port",
            "file": "drivers/net/wireless/realtek/rtw88/sdio.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "function_hash": "193756270758567225995149947133707436871",
            "length": 461.0
        },
        "id": "CVE-2023-52611-b1381d74",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Fixed
6.6.14
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.2