Skip to content

CVE-2025-38159: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

CKI Backport Botrequested to merge
redhat/red-hat-ci-tools/kernel/bot-branches/centos-stream/src/kernel/centos-stream-9:backport-RHEL-103158-centos-stream-9-main into main

JIRA: https://issues.redhat.com/browse/RHEL-103158
CVE: CVE-2025-38159

commit 4c2c372de2e108319236203cce6de44d70ae15cd
Author: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Date:   Tue May 13 12:13:04 2025 +0000

    wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds
    
    Set the size to 6 instead of 2, since 'para' array is passed to
    'rtw_fw_bt_wifi_control(rtwdev, para[0], &para[1])', which reads
    5 bytes:
    
    void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)
    {
        ...
        SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);
        SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));
        ...
        SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));
    
    Detected using the static analysis tool - Svace.
    Fixes: 4136214f7c46 ("rtw88: add BT co-existence support")
    Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
    Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
    Link: https://patch.msgid.link/20250513121304.124141-1-aleksei.kodanev@bell-sw.com

Signed-off-by: CKI Backport Bot cki-ci-bot+cki-gitlab-backport-bot@redhat.com

Created 2025-07-12 14:52 UTC by backporter - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

Merge request reports