Centos-kernel-stream-9

History

Augusto Caringi 6612ae503f Merge: CVE-2025-38159: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/7122 JIRA: https://issues.redhat.com/browse/RHEL-103158 CVE: CVE-2025-38159 ``` commit 4c2c372de2e108319236203cce6de44d70ae15cd Author: Alexey Kodanev <aleksei.kodanev@bell-sw.com> Date: Tue May 13 12:13:04 2025 +0000 wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], &para[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev rtwdev, u8 op_code, u8 data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, (data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace. Fixes: `4136214f7c` ("rtw88: add BT co-existence support") Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Link: https://patch.msgid.link/20250513121304.124141-1-aleksei.kodanev@bell-sw.com ``` Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com> --- <small>Created 2025-07-12 14:52 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12334433&issuetype=1&priority=4&summary=backporter+webhook+issue&components=kernel-workflow+/+backporter)</small> Approved-by: Michal Schmidt <mschmidt@redhat.com> Approved-by: José Ignacio Tornos Martínez <jtornosm@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: Augusto Caringi <acaringi@redhat.com>		2025-08-06 18:26:12 -03:00
..
Kconfig	wifi: rtw88: Enable the new RTL8814AE/RTL8814AU drivers	2025-06-17 18:00:58 +02:00
Makefile	wifi: rtw88: Enable the new RTL8814AE/RTL8814AU drivers	2025-06-17 18:00:58 +02:00
bf.c	…
bf.h	…
coex.c	wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds	2025-07-12 14:52:55 +00:00
coex.h	wifi: rtw88: 8821a: Regularly ask for BT info updates	2025-04-16 17:18:14 +02:00
debug.c	wifi: rtw88: Extend rtw_debugfs_get_tx_pwr_tbl() for RTL8814AU	2025-06-17 18:00:45 +02:00
debug.h	…
efuse.c	…
efuse.h	…
fw.c	wifi: rtw88: Extend rtw_fw_send_ra_info() for RTL8814AU	2025-06-17 18:00:34 +02:00
fw.h	wifi: rtw88: Extend rtw_fw_send_ra_info() for RTL8814AU	2025-06-17 18:00:34 +02:00
hci.h	…
led.c	wifi: rtw88: Add support for LED blinking	2025-04-16 17:18:43 +02:00
led.h	wifi: rtw88: add RTW88_LEDS depends on LEDS_CLASS to Kconfig	2025-04-16 17:19:07 +02:00
mac.c	wifi: rtw88: Fix rtw_mac_power_switch() for RTL8814AU	2025-06-17 18:00:45 +02:00
mac.h	wifi: rtw88: Let each driver control the power on/off process	2025-04-16 17:18:13 +02:00
mac80211.c	wifi: mac80211: call rate_control_rate_update() for link STA	2025-04-16 17:18:05 +02:00
main.c	wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU	2025-06-17 18:00:45 +02:00
main.h	wifi: rtw88: Add __nonstring annotations for unterminated strings	2025-06-17 18:00:58 +02:00
pci.c	wifi: rtw88: Constify some more structs and arrays	2025-06-17 18:00:34 +02:00
pci.h	…
phy.c	wifi: rtw88: Extend rtw_phy_config_swing_table() for RTL8814AU	2025-06-17 18:00:45 +02:00
phy.h	wifi: rtw88: Extend TX power stuff for 3-4 spatial streams	2025-06-17 18:00:34 +02:00
ps.c	…
ps.h	…
reg.h	wifi: rtw88: Add some definitions for RTL8814AU	2025-06-17 18:00:57 +02:00
regd.c	…
regd.h	…
rtw88xxa.c	wifi: rtw88: Extend TX power stuff for 3-4 spatial streams	2025-06-17 18:00:34 +02:00
rtw88xxa.h	wifi: rtw88: Add rtw88xxa.{c,h}	2025-04-16 17:18:16 +02:00
rtw8703b.c	wifi: rtw88: 8703b: Fix RX/TX issues	2025-04-16 17:18:43 +02:00
rtw8703b.h	…
rtw8703b_tables.c	…
rtw8703b_tables.h	…
rtw8723cs.c	…
rtw8723d.c	wifi: rtw88: Fix a typo of debug message in rtw8723d_iqk_check_tx_failed()	2025-06-17 18:00:33 +02:00
rtw8723d.h	…
rtw8723d_table.c	…
rtw8723d_table.h	…
rtw8723de.c	…
rtw8723ds.c	…
rtw8723du.c	…
rtw8723x.c	wifi: rtw88: Move pwr_track_tbl to struct rtw_rfe_def	2025-04-16 17:18:14 +02:00
rtw8723x.h	wifi: rtw88: add __packed attribute to efuse layout struct	2025-04-16 17:18:38 +02:00
rtw8812a.c	wifi: rtw88: Add support for LED blinking	2025-04-16 17:18:43 +02:00
rtw8812a.h	wifi: rtw88: Add rtw8812a.{c,h}	2025-04-16 17:18:16 +02:00
rtw8812a_table.c	wifi: rtw88: Add rtw8812a_table.{c,h}	2025-04-16 17:18:16 +02:00
rtw8812a_table.h	wifi: rtw88: Add rtw8812a_table.{c,h}	2025-04-16 17:18:16 +02:00
rtw8812au.c	wifi: rtw88: 8812au: Add more device IDs	2025-04-16 17:18:21 +02:00
rtw8814a.c	wifi: rtw88: Add rtw8814a.{c,h}	2025-06-17 18:00:57 +02:00
rtw8814a.h	wifi: rtw88: Add rtw8814a.{c,h}	2025-06-17 18:00:57 +02:00
rtw8814a_table.c	wifi: rtw88: Add rtw8814a_table.c (part 2/2)	2025-06-17 18:00:57 +02:00
rtw8814a_table.h	wifi: rtw88: Add rtw8814a_table.c (part 2/2)	2025-06-17 18:00:57 +02:00
rtw8814ae.c	wifi: rtw88: Add rtw8814ae.c	2025-06-17 18:00:58 +02:00
rtw8814au.c	wifi: rtw88: Add rtw8814au.c	2025-06-17 18:00:58 +02:00
rtw8821a.c	wifi: rtw88: Add support for LED blinking	2025-04-16 17:18:43 +02:00
rtw8821a.h	wifi: rtw88: Add rtw8821a.{c,h}	2025-04-16 17:18:16 +02:00
rtw8821a_table.c	wifi: rtw88: Add rtw8821a_table.{c,h}	2025-04-16 17:18:16 +02:00
rtw8821a_table.h	wifi: rtw88: Add rtw8821a_table.{c,h}	2025-04-16 17:18:16 +02:00
rtw8821au.c	wifi: rtw88: 8821au: Add additional devices to the USB_DEVICE list	2025-04-16 17:18:21 +02:00
rtw8821c.c	wifi: rtw88: Extend TX power stuff for 3-4 spatial streams	2025-06-17 18:00:34 +02:00
rtw8821c.h	wifi: rtw88: add __packed attribute to efuse layout struct	2025-04-16 17:18:38 +02:00
rtw8821c_table.c	…
rtw8821c_table.h	…
rtw8821ce.c	…
rtw8821cs.c	…
rtw8821cu.c	…
rtw8822b.c	wifi: rtw88: Extend TX power stuff for 3-4 spatial streams	2025-06-17 18:00:34 +02:00
rtw8822b.h	wifi: rtw88: add __packed attribute to efuse layout struct	2025-04-16 17:18:38 +02:00
rtw8822b_table.c	…
rtw8822b_table.h	…
rtw8822be.c	…
rtw8822bs.c	…
rtw8822bu.c	wifi: rtw88: Add support for Mercusys MA30N and D-Link DWA-T185 rev. A1	2025-06-17 18:00:43 +02:00
rtw8822c.c	wifi: rtw88: Extend TX power stuff for 3-4 spatial streams	2025-06-17 18:00:34 +02:00
rtw8822c.h	wifi: rtw88: add __packed attribute to efuse layout struct	2025-04-16 17:18:38 +02:00
rtw8822c_table.c	…
rtw8822c_table.h	…
rtw8822ce.c	…
rtw8822cs.c	…
rtw8822cu.c	…
rx.c	wifi: rtw88: Fix rtw_rx_phy_stat() for RTL8814AU	2025-06-17 18:00:45 +02:00
rx.h	wifi: rtw88: Parse the RX descriptor with a single function	2025-04-16 17:17:53 +02:00
sar.c	wifi: rtw88: Rename RTW_RATE_SECTION_MAX to RTW_RATE_SECTION_NUM	2025-06-17 18:00:34 +02:00
sar.h	…
sdio.c	wifi: rtw88: Constify some more structs and arrays	2025-06-17 18:00:34 +02:00
sdio.h	…
sec.c	…
sec.h	…
tx.c	wifi: rtw88: Enable data rate fallback for older chips	2025-04-16 17:18:13 +02:00
tx.h	wifi: rtw88: Enable data rate fallback for older chips	2025-04-16 17:18:13 +02:00
usb.c	wifi: rtw88: Constify some more structs and arrays	2025-06-17 18:00:34 +02:00
usb.h	wifi: rtw88: usb: Preallocate and reuse the RX skbs	2025-04-16 17:18:39 +02:00
util.c	wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31	2025-06-17 18:00:45 +02:00
util.h	…
wow.c	…
wow.h	…