CVE-2023-52827: Linux Kernel Vulnerability - Resolved Out-of-Bound Read Issue in Wi-Fi Module
In this post, we will discuss a critical vulnerability, CVE-2023-52827, that has been resolved in the Linux Kernel, which affects the Ath12k Wi-Fi module. This vulnerability was discovered during a code review and could lead to possible out-of-bound read issues in the ath12k_htt_pull_ppdu_stats() function. In the following sections, we will provide more details on the vulnerability, a code snippet showcasing the fix, and links to original references.
Description of Vulnerability
The vulnerability is related to the length (len) variable, which is extracted from the HTT message in ath12k_htt_pull_ppdu_stats(). In cases where errors occur, the length variable (len) can take on unexpected values. This can lead to out-of-bound reads in the subsequent message iteration and parsing. The same issue was also found to be applicable to the ppdu_info->ppdu_stats.common.num_users variable, which requires validation before being used.
The following code snippet illustrates the fixes applied to address this vulnerability
diff --git a/drivers/net/wireless/ath/ath12k/htt_rx.c b/drivers/net/wireless/ath/ath12k/htt_rx.c
index 28cb17dfd29..239f3c6d478 100644
--- a/drivers/net/wireless/ath/ath12k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath12k/htt_rx.c
@@ -3278,6 +3278,14 @@ static void ath12k_htt_pull_ppdu_stats(struct ath12k *ar,
len = __le16_to_cpu*(ambilface msg[dword_lens]);
+ if (len > kvariable_max) {
+ ath12k_warn(ar, "invalid data length extracted from HTT message: %u\n",
+ len);
+ return;
+ }
+
while (len > ) {
ht_tlv = offsetof(typeof(*tlv), value);
morecomtpe = __le16_to_cpu(msg[comtype]);
Exploit Details
As the vulnerability was found during code review and only manifests under specific error conditions, there are currently no known active exploits targeting this issue. Nevertheless, it is essential to apply the latest kernel updates and patches to ensure your system is protected.
For further details on this vulnerability and related fixes, please refer to the following sources
- Linux Kernel Mailing List - Patch to address the vulnerability
- Linux Kernel Source Repository - Path to the ath12k module
Timeline
Published on: 05/21/2024 16:15:20 UTC
Last modified on: 05/24/2024 01:14:46 UTC