Updated: 2024-12-12 23:48:14.655781
Description:
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug occurs when txs->cnt, data from a URB provided by a USB device, is bigger than the size of the array txs->txstatus, which is HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug handling code after the check. Make the function return if that is the case. Found by a modified version of syzkaller. UBSAN: array-index-out-of-bounds in htc_drv_txrx.c index 13 is out of range for type '__wmi_event_txstatus [12]' Call Trace: ath9k_htc_txstatus ath9k_wmi_event_tasklet tasklet_action_common __do_softirq irq_exit_rxu sysvec_apic_timer_interrupt
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | 0 | |
CVSS Version 3.x | HIGH | 7.8 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
---|---|---|---|---|---|---|---|---|
AlmaLinux 9.2 ESU | kernel | 5.14.0 | 7.8 | HIGH | Released | CLSA-2024:1722533082 | 2024-08-01 14:33:49 | |
AlmaLinux 9.2 FIPS | kernel | 5.14.0 | 7.8 | HIGH | Released | CLSA-2024:1722530110 | 2024-08-01 14:33:49 | |
CentOS 6 ELS | kernel | 2.6.32 | 7.8 | HIGH | Ignored | 2024-06-24 10:10:34 | ||
CentOS 7 ELS | kernel | 3.10.0 | 7.8 | HIGH | Ignored | 2024-06-24 11:20:34 | ||
CentOS 8.4 ELS | kernel | 4.18.0 | 7.8 | HIGH | Ignored | 2024-06-24 11:20:50 | ||
CentOS 8.5 ELS | kernel | 4.18.0 | 7.8 | HIGH | Ignored | 2024-06-24 11:20:50 | ||
CentOS Stream 8 ELS | kernel | 4.18.0 | 7.8 | HIGH | Already Fixed | 2024-06-09 14:19:19 | ||
CloudLinux 6 ELS | kernel | 2.6.32 | 7.8 | HIGH | Ignored | 2024-06-24 10:10:34 | ||
Oracle Linux 6 ELS | kernel | 2.6.32 | 7.8 | HIGH | Ignored | 2024-06-24 10:10:34 | ||
Ubuntu 16.04 ELS | linux | 4.4.0 | 7.8 | HIGH | Released | CLSA-2024:1716269479 | 2024-05-21 05:35:28 |