CVE-2023-54300
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should validate pkt_len before accessing the SKB.
For example, the obtained SKB may have been badly constructed with pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr but after being processed in ath9k_htc_rx_msg() and passed to ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI command header which should be located inside its data payload.
Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit memory can be referenced.
Tested on Qualcomm Atheros Communications AR9271 802.11n .
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | fb9987d0f748c983bb795a86f47522313f701a08 < 0bc12e41af4e3ae1f0efecc377f0514459df0707 | affected |
| Linux | Linux | fb9987d0f748c983bb795a86f47522313f701a08 < 28259ce4f1f1f9ab37fa817756c89098213d2fc0 | affected |
| Linux | Linux | fb9987d0f748c983bb795a86f47522313f701a08 < 90e3c10177573b8662ac9858abd9bf731d5d98e0 | affected |
| Linux | Linux | fb9987d0f748c983bb795a86f47522313f701a08 < 250efb4d3f5b32a115ea6bf25437ba44a1b3c04f | affected |
| Linux | Linux | fb9987d0f748c983bb795a86f47522313f701a08 < ad5425e70789c29b93acafb5bb4629e4eb908296 | affected |
| Linux | Linux | fb9987d0f748c983bb795a86f47522313f701a08 < d1c2ff2bd84c3692c9df267a2b991ce92bfca8ef | affected |
| Linux | Linux | fb9987d0f748c983bb795a86f47522313f701a08 < 8ed572e52714593b209e3aa352406aff84481179 | affected |
| Linux | Linux | fb9987d0f748c983bb795a86f47522313f701a08 < 75acec91aeaa07375cd5f418069e61b16d39bbad | affected |
| Linux | Linux | fb9987d0f748c983bb795a86f47522313f701a08 < f24292e827088bba8de7158501ac25a59b064953 | affected |
| Linux | Linux | 2.6.35 | affected |
| Linux | Linux | 0 < 2.6.35 | unaffected |
| Linux | Linux | 4.14.322 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.291 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.251 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.188 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.121 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.39 <= 6.1.* | unaffected |
| Linux | Linux | 6.3.13 <= 6.3.* | unaffected |
| Linux | Linux | 6.4.4 <= 6.4.* | unaffected |
| Linux | Linux | 6.5 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/0bc12e41af4e3ae1f0efecc377f0514459df0707
- https://git.kernel.org/stable/c/28259ce4f1f1f9ab37fa817756c89098213d2fc0
- https://git.kernel.org/stable/c/90e3c10177573b8662ac9858abd9bf731d5d98e0
- https://git.kernel.org/stable/c/250efb4d3f5b32a115ea6bf25437ba44a1b3c04f
- https://git.kernel.org/stable/c/ad5425e70789c29b93acafb5bb4629e4eb908296
- https://git.kernel.org/stable/c/d1c2ff2bd84c3692c9df267a2b991ce92bfca8ef
- https://git.kernel.org/stable/c/8ed572e52714593b209e3aa352406aff84481179
- https://git.kernel.org/stable/c/75acec91aeaa07375cd5f418069e61b16d39bbad
- https://git.kernel.org/stable/c/f24292e827088bba8de7158501ac25a59b064953
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.