CVE-2023-52531

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-52531
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52531.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-52531
Downstream
Related
Published
2024-03-02T21:52:35.664Z
Modified
2026-05-15T11:54:06.011441738Z
Summary
wifi: iwlwifi: mvm: Fix a memory corruption issue
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: Fix a memory corruption issue

A few lines above, space is kzalloc()'ed for: sizeof(struct iwlnvmdata) + sizeof(struct ieee80211channel) + sizeof(struct ieee80211rate)

'mvm->nvmdata' is a 'struct iwlnvm_data', so it is fine.

At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array.

When doing: mvm->nvmdata->bands[0].channels = mvm->nvmdata->channels; We point at the first element of the 'channels' flex array. So this is fine.

However, when doing: mvm->nvmdata->bands[0].bitrates = (void *)((u8 *)mvm->nvmdata->channels + 1); because of the "(u8 *)" cast, we add only 1 to the address of the beginning of the flex array.

It is likely that we want point at the 'struct ieee80211_rate' allocated just after.

Remove the spurious casting so that the pointer arithmetic works as expected.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52531.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.9.0
Fixed
5.15.135
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.57
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.5.7

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52531.json"