CVE Published: 02/03/2024 |
CVE Updated: 04/11/2024 |
CVE Year: 2023 Source: Linux |
Vendor: Linux |
Product: Linux Status : PUBLISHED
CVE-2023-52531 Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: Fix a memory corruption issue
A few lines above, space is kzalloc()\'ed for:
sizeof(struct iwl_nvm_data) +
sizeof(struct ieee80211_channel) +
sizeof(struct ieee80211_rate)
\'mvm->nvm_data\' is a \'struct iwl_nvm_data\', so it is fine.
At the end of this structure, there is the \'channels\' flex array.
Each element is of type \'struct ieee80211_channel\'.
So only 1 element is allocated in this array.
When doing:
mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;
We point at the first element of the \'channels\' flex array.
So this is fine.
However, when doing:
mvm->nvm_data->bands[0].bitrates =
(void *)((u8 *)mvm->nvm_data->channels + 1);
because of the "(u8 *)" cast, we add only 1 to the address of the beginning
of the flex array.
It is likely that we want point at the \'struct ieee80211_rate\' allocated
just after.
Remove the spurious casting so that the pointer arithmetic works as
expected.