Home

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() There is a global-out-of-bounds reported by KASAN: BUG: KASAN: global-out-of-bounds in _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411 CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D 6.1.0-rc8+ #144 e15588508517267d37 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), Call Trace: <TASK> ... kasan_report+0xbb/0x1c0 _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae] rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae] ... </TASK> The root cause of the problem is that the comparison order of "prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two strings from tail to head, which causes the problem. In the _rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet this requirement by carefully designing the comparison order. For example, "pregulation" and "pbandwidth" are compared in order of length from small to large, first is 3 and last is 4. However, the comparison order of "prate_section" dose not obey such order requirement, therefore when "prate_section" is "HT", when comparing from tail to head, it will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As mentioned above, the _rtl8812ae_eq_n_byte() has the same function as strcmp(), so just strcmp() is enough. Fix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely. Although it can be fixed by adjusting the comparison order of "prate_section", this may cause the value of "rate_section" to not be from 0 to 5. In addition, commit "21e4b0726dc6" not only moved driver from staging to regular tree, but also added setting txpower limit function during the driver config phase, so the problem was introduced by this commit.

PUBLISHED Reserved 2025-09-15 | Published 2025-09-15 | Updated 2025-09-15 | Assigner Linux

Product status

Default status
unaffected

21e4b0726dc671c423e2dc9a85364716219c4502 (git) before fc3442247716fc426bbcf62ed65e086e48a6d44f
affected

21e4b0726dc671c423e2dc9a85364716219c4502 (git) before 28ea268d95e57cdf6394a058f0d854206d478772
affected

21e4b0726dc671c423e2dc9a85364716219c4502 (git) before 1e950b9a841bc96e98ee25680d5c7aa305120be1
affected

21e4b0726dc671c423e2dc9a85364716219c4502 (git) before 0c962dcd6bf64b78eaffc09e497a2beb4e48bc32
affected

21e4b0726dc671c423e2dc9a85364716219c4502 (git) before f1fe40120de6ad4ffa8299fde035a5feba10d4fb
affected

21e4b0726dc671c423e2dc9a85364716219c4502 (git) before 057b52461dc005ecd85a3e4998913b1492ec0f72
affected

21e4b0726dc671c423e2dc9a85364716219c4502 (git) before 117dbeda22ec5ea0918254d03b540ef8b8a64d53
affected

Default status
affected

3.18
affected

Any version before 3.18
unaffected

4.19.276 (semver)
unaffected

5.4.235 (semver)
unaffected

5.10.173 (semver)
unaffected

5.15.99 (semver)
unaffected

6.1.16 (semver)
unaffected

6.2.3 (semver)
unaffected

6.3 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/fc3442247716fc426bbcf62ed65e086e48a6d44f

git.kernel.org/...c/28ea268d95e57cdf6394a058f0d854206d478772

git.kernel.org/...c/1e950b9a841bc96e98ee25680d5c7aa305120be1

git.kernel.org/...c/0c962dcd6bf64b78eaffc09e497a2beb4e48bc32

git.kernel.org/...c/f1fe40120de6ad4ffa8299fde035a5feba10d4fb

git.kernel.org/...c/057b52461dc005ecd85a3e4998913b1492ec0f72

git.kernel.org/...c/117dbeda22ec5ea0918254d03b540ef8b8a64d53

cve.org (CVE-2022-50279)

nvd.nist.gov (CVE-2022-50279)

Download JSON