| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122438-CVE-2023-54036-ae42@gregkh>
Date: Wed, 24 Dec 2025 11:57:20 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-54036: wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU
The wifi + bluetooth combo chip RTL8723BU can leak memory (especially?)
when it's connected to a bluetooth audio device. The busy bluetooth
traffic generates lots of C2H (card to host) messages, which are not
freed correctly.
To fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback()
inside the loop where skb_dequeue() is called.
The RTL8192EU leaks memory because the C2H messages are added to the
queue and left there forever. (This was fine in the past because it
probably wasn't sending any C2H messages until commit e542e66b7c2e
("wifi: rtl8xxxu: gen2: Turn on the rate control"). Since that commit
it sends a C2H message when the TX rate changes.)
To fix this, delete the check for rf_paths > 1 and the goto. Let the
function process the C2H messages from RTL8192EU like the ones from
the other chips.
Theoretically the RTL8188FU could also leak like RTL8723BU, but it
most likely doesn't send C2H messages frequently enough.
This change was tested with RTL8723BU by Erhard F. I tested it with
RTL8188FU and RTL8192EU.
The Linux kernel CVE team has assigned CVE-2023-54036 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.5 with commit e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 and fixed in 5.10.173 with commit 430f9f9bec53a75f9ccc53e156a66f13fc098b83
Issue introduced in 5.5 with commit e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 and fixed in 5.15.99 with commit 35fb0e275af1aa1ca0a9784417e90f988aaf8e78
Issue introduced in 5.5 with commit e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 and fixed in 6.1.16 with commit 93c3f34ec02fc81188d328287d4fddd498ccddea
Issue introduced in 5.5 with commit e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 and fixed in 6.2.3 with commit f39a86b4efd270947ee252cc32a30b0aef492d65
Issue introduced in 5.5 with commit e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 and fixed in 6.3 with commit b39f662ce1648db0b9de32e6a849b098480793cb
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-54036
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83
https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78
https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea
https://git.kernel.org/stable/c/f39a86b4efd270947ee252cc32a30b0aef492d65
https://git.kernel.org/stable/c/b39f662ce1648db0b9de32e6a849b098480793cb
Powered by blists - more mailing lists