CVE-2023-52531

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: Fix a memory corruption issue<br /> <br /> A few lines above, space is kzalloc()&amp;#39;ed for:<br /> sizeof(struct iwl_nvm_data) +<br /> sizeof(struct ieee80211_channel) +<br /> sizeof(struct ieee80211_rate)<br /> <br /> &amp;#39;mvm-&gt;nvm_data&amp;#39; is a &amp;#39;struct iwl_nvm_data&amp;#39;, so it is fine.<br /> <br /> At the end of this structure, there is the &amp;#39;channels&amp;#39; flex array.<br /> Each element is of type &amp;#39;struct ieee80211_channel&amp;#39;.<br /> So only 1 element is allocated in this array.<br /> <br /> When doing:<br /> mvm-&gt;nvm_data-&gt;bands[0].channels = mvm-&gt;nvm_data-&gt;channels;<br /> We point at the first element of the &amp;#39;channels&amp;#39; flex array.<br /> So this is fine.<br /> <br /> However, when doing:<br /> mvm-&gt;nvm_data-&gt;bands[0].bitrates =<br /> (void *)((u8 *)mvm-&gt;nvm_data-&gt;channels + 1);<br /> because of the "(u8 *)" cast, we add only 1 to the address of the beginning<br /> of the flex array.<br /> <br /> It is likely that we want point at the &amp;#39;struct ieee80211_rate&amp;#39; allocated<br /> just after.<br /> <br /> Remove the spurious casting so that the pointer arithmetic works as<br /> expected.