| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022646-CVE-2021-47633-ad15@gregkh> Date: Wed, 26 Feb 2025 02:53:44 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2021-47633: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 Description =========== In the Linux kernel, the following vulnerability has been resolved: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 The bug was found during fuzzing. Stacktrace locates it in ath5k_eeprom_convert_pcal_info_5111. When none of the curve is selected in the loop, idx can go up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. pd = &chinfo[pier].pd_curves[idx]; There are many OOB writes using pd later in the code. So I added a sanity check for idx. Checks for other loops involving AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not used outside the loops. The patch is NOT tested with real device. The following is the fuzzing report BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] Write of size 1 at addr ffff8880174a4d60 by task modprobe/214 CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] __kasan_report.cold+0x37/0x7c ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] kasan_report+0xe/0x20 ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k] ath5k_eeprom_init+0x2513/0x6290 [ath5k] ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? usleep_range+0xb8/0x100 ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k] ath5k_hw_init+0xb60/0x1970 [ath5k] ath5k_init_ah+0x6fe/0x2530 [ath5k] ? kasprintf+0xa6/0xe0 ? ath5k_stop+0x140/0x140 [ath5k] ? _dev_notice+0xf6/0xf6 ? apic_timer_interrupt+0xa/0x20 ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k] ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] ? mutex_lock+0x89/0xd0 ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] local_pci_probe+0xd3/0x160 pci_device_probe+0x23f/0x3e0 ? pci_device_remove+0x280/0x280 ? pci_device_remove+0x280/0x280 really_probe+0x209/0x5d0 The Linux kernel CVE team has assigned CVE-2021-47633 to this issue. Affected and fixed versions =========================== Fixed in 4.9.311 with commit f4de974019a0adf34d0e7de6b86252f1bd266b06 Fixed in 4.14.276 with commit ed3dfdaa8b5f0579eabfc1c5818eed30cfe1fe84 Fixed in 4.19.238 with commit 25efc5d03455c3839249bc77fce5e29ecb54677e Fixed in 5.4.189 with commit c4e2f577271e158d87a916afb4e87415a88ce856 Fixed in 5.10.111 with commit 9d7d83d0399e23d66fd431b553842a84ac10398f Fixed in 5.15.34 with commit be2f81024e7981565d90a4c9ca3067d11b6bca7f Fixed in 5.16.20 with commit fc8f7752a82f4accb99c0f1a868906ba1eb7b86f Fixed in 5.17.3 with commit cbd96d6cad6625feba9c8d101ed4977d53e82f8e Fixed in 5.18 with commit 564d4eceb97eaf381dd6ef6470b06377bb50c95a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2021-47633 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/ath/ath5k/eeprom.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f4de974019a0adf34d0e7de6b86252f1bd266b06 https://git.kernel.org/stable/c/ed3dfdaa8b5f0579eabfc1c5818eed30cfe1fe84 https://git.kernel.org/stable/c/25efc5d03455c3839249bc77fce5e29ecb54677e https://git.kernel.org/stable/c/c4e2f577271e158d87a916afb4e87415a88ce856 https://git.kernel.org/stable/c/9d7d83d0399e23d66fd431b553842a84ac10398f https://git.kernel.org/stable/c/be2f81024e7981565d90a4c9ca3067d11b6bca7f https://git.kernel.org/stable/c/fc8f7752a82f4accb99c0f1a868906ba1eb7b86f https://git.kernel.org/stable/c/cbd96d6cad6625feba9c8d101ed4977d53e82f8e https://git.kernel.org/stable/c/564d4eceb97eaf381dd6ef6470b06377bb50c95a
Powered by blists - more mailing lists