CVE-2025-68380

Summary

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: fix peer HE MCS assignment

In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition.

While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field.

Ext Tag: HE Capabilities
    [...]
    Supported HE-MCS and NSS Set
	[...]
        Rx and Tx MCS Maps 160 MHz
	    [...]
            Tx HE-MCS Map 160 MHz: 0xffff

Swap the assignment to fix this issue.

As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS.

Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1

Affected Software

VendorProductVersion RangeStatus
LinuxLinux61fe43e7216df6e9a912d831aafc7142fa20f280 < 92791290e4f6a1de25d35af792ab8918a70737f6affected
LinuxLinux61fe43e7216df6e9a912d831aafc7142fa20f280 < 4304bd7a334e981f189b9973056a58f84cc2b482affected
LinuxLinux61fe43e7216df6e9a912d831aafc7142fa20f280 < 097c870b91817779e5a312c6539099a884b1fe2baffected
LinuxLinux61fe43e7216df6e9a912d831aafc7142fa20f280 < 381096a417b7019896e93e86f4c585c592bf98e2affected
LinuxLinux61fe43e7216df6e9a912d831aafc7142fa20f280 < 6b1a0da75932353f66e710976ca85a7131f647ffaffected
LinuxLinux61fe43e7216df6e9a912d831aafc7142fa20f280 < 4a013ca2d490c73c40588d62712ffaa432046a04affected
LinuxLinux5.16affected
LinuxLinux0 < 5.16unaffected
LinuxLinux6.1.160 <= 6.1.*unaffected
LinuxLinux6.6.120 <= 6.6.*unaffected
LinuxLinux6.12.63 <= 6.12.*unaffected
LinuxLinux6.17.13 <= 6.17.*unaffected
LinuxLinux6.18.2 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References