CVE-2022-50279

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()<br /> <br /> There is a global-out-of-bounds reported by KASAN:<br /> <br /> BUG: KASAN: global-out-of-bounds in<br /> _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]<br /> Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411<br /> <br /> CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D<br /> 6.1.0-rc8+ #144 e15588508517267d37<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),<br /> Call Trace:<br /> <br /> ...<br /> kasan_report+0xbb/0x1c0<br /> _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]<br /> rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae]<br /> rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae]<br /> ...<br /> <br /> <br /> The root cause of the problem is that the comparison order of<br /> "prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The<br /> _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two<br /> strings from tail to head, which causes the problem. In the<br /> _rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet<br /> this requirement by carefully designing the comparison order.<br /> For example, "pregulation" and "pbandwidth" are compared in order of<br /> length from small to large, first is 3 and last is 4. However, the<br /> comparison order of "prate_section" dose not obey such order requirement,<br /> therefore when "prate_section" is "HT", when comparing from tail to head,<br /> it will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As<br /> mentioned above, the _rtl8812ae_eq_n_byte() has the same function as<br /> strcmp(), so just strcmp() is enough.<br /> <br /> Fix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely.<br /> Although it can be fixed by adjusting the comparison order of<br /> "prate_section", this may cause the value of "rate_section" to not be<br /> from 0 to 5. In addition, commit "21e4b0726dc6" not only moved driver<br /> from staging to regular tree, but also added setting txpower limit<br /> function during the driver config phase, so the problem was introduced<br /> by this commit.