| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122404-CVE-2025-68380-3436@gregkh> Date: Wed, 24 Dec 2025 11:35:25 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68380: wifi: ath11k: fix peer HE MCS assignment From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field. Ext Tag: HE Capabilities [...] Supported HE-MCS and NSS Set [...] Rx and Tx MCS Maps 160 MHz [...] Tx HE-MCS Map 160 MHz: 0xffff Swap the assignment to fix this issue. As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 The Linux kernel CVE team has assigned CVE-2025-68380 to this issue. Affected and fixed versions =========================== Issue introduced in 5.16 with commit 61fe43e7216df6e9a912d831aafc7142fa20f280 and fixed in 6.12.63 with commit 097c870b91817779e5a312c6539099a884b1fe2b Issue introduced in 5.16 with commit 61fe43e7216df6e9a912d831aafc7142fa20f280 and fixed in 6.17.13 with commit 381096a417b7019896e93e86f4c585c592bf98e2 Issue introduced in 5.16 with commit 61fe43e7216df6e9a912d831aafc7142fa20f280 and fixed in 6.18.2 with commit 6b1a0da75932353f66e710976ca85a7131f647ff Issue introduced in 5.16 with commit 61fe43e7216df6e9a912d831aafc7142fa20f280 and fixed in 6.19-rc1 with commit 4a013ca2d490c73c40588d62712ffaa432046a04 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68380 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/ath/ath11k/mac.c drivers/net/wireless/ath/ath11k/wmi.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2 https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04
Powered by blists - more mailing lists