1226776 – (CVE-2024-38572) VUL-0: CVE-2024-38572: kernel: wifi: ath12k: fix out-of-bound access of qmi_invoke_handler()

Bug 1226776 (CVE-2024-38572) - VUL-0: CVE-2024-38572: kernel: wifi: ath12k: fix out-of-bound access of qmi_invoke_handler()

Summary: VUL-0: CVE-2024-38572: kernel: wifi: ath12k: fix out-of-bound access of qmi_i...

Status:	RESOLVED FIXED

Alias:	CVE-2024-38572

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/411343/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-38572:5.3:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-06-21 13:41 UTC by SMASH SMASH
Modified:	2024-07-08 15:13 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-06-21 13:41:48 UTC

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix out-of-bound access of qmi_invoke_handler()

Currently, there is no terminator entry for ath12k_qmi_msg_handlers hence
facing below KASAN warning,

 ==================================================================
 BUG: KASAN: global-out-of-bounds in qmi_invoke_handler+0xa4/0x148
 Read of size 8 at addr ffffffd00a6428d8 by task kworker/u8:2/1273

 CPU: 0 PID: 1273 Comm: kworker/u8:2 Not tainted 5.4.213 #0
 Workqueue: qmi_msg_handler qmi_data_ready_work
 Call trace:
  dump_backtrace+0x0/0x20c
  show_stack+0x14/0x1c
  dump_stack+0xe0/0x138
  print_address_description.isra.5+0x30/0x330
  __kasan_report+0x16c/0x1bc
  kasan_report+0xc/0x14
  __asan_load8+0xa8/0xb0
  qmi_invoke_handler+0xa4/0x148
  qmi_handle_message+0x18c/0x1bc
  qmi_data_ready_work+0x4ec/0x528
  process_one_work+0x2c0/0x440
  worker_thread+0x324/0x4b8
  kthread+0x210/0x228
  ret_from_fork+0x10/0x18

 The address belongs to the variable:
  ath12k_mac_mon_status_filter_default+0x4bd8/0xfffffffffffe2300 [ath12k]
 [...]
 ==================================================================

Add a dummy terminator entry at the end to assist the qmi_invoke_handler()
in traversing up to the terminator entry without accessing an
out-of-boundary index.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-38572
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-38572.mbox
https://git.kernel.org/stable/c/95575de7dede7b1ed3b9718dab9dda97914ea775
https://git.kernel.org/stable/c/b48d40f5840c505b7af700594aa8379eec28e925
https://git.kernel.org/stable/c/a1abdb63628b04855a929850772de97435ed1555
https://git.kernel.org/stable/c/e1bdff48a1bb4a4ac660c19c55a820968c48b3f2
https://www.cve.org/CVERecord?id=CVE-2024-38572
https://bugzilla.redhat.com/show_bug.cgi?id=2293421

Comment 2 Andrea Mattiazzo 2024-06-24 07:54:24 UTC

All done, closing.