In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix array out-of-bound access in SoC stats
Currently, the ath12ksocdpstats::halreoerror array is defined with a maximum size of DPREODSTRINGMAX. However, the ath12kdprxprocess() function access ath12ksocdpstats::halreoerror using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath12kdprxprocess() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
[ { "signature_type": "Function", "id": "CVE-2024-49931-1c3b4418", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ad791e3ec60cb66c1e4dc121ffbf872df312427d", "signature_version": "v1", "target": { "function": "ath12k_dp_rx_process", "file": "drivers/net/wireless/ath/ath12k/dp_rx.c" }, "digest": { "function_hash": "161085467746273223275702615600082900727", "length": 2596.0 }, "deprecated": false }, { "signature_type": "Line", "id": "CVE-2024-49931-4c21ff0f", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ad791e3ec60cb66c1e4dc121ffbf872df312427d", "signature_version": "v1", "target": { "file": "drivers/net/wireless/ath/ath12k/dp_rx.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326387305052383178326936041729458556030", "154052436673159362757616573624586264042", "70754909493169619303423059166754925174", "212542225967071229293622050762907252330" ] }, "deprecated": false }, { "signature_type": "Line", "id": "CVE-2024-49931-594f4522", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e106b7ad13c1d246adaa57df73edb8f8b8acb240", "signature_version": "v1", "target": { "file": "drivers/net/wireless/ath/ath12k/dp_rx.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326387305052383178326936041729458556030", "154052436673159362757616573624586264042", "70754909493169619303423059166754925174", "212542225967071229293622050762907252330" ] }, "deprecated": false }, { "signature_type": "Function", "id": "CVE-2024-49931-9211c2da", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d0e4274d9dc9f8409d56d622cd3ecf7b6fd49e2f", "signature_version": "v1", "target": { "function": "ath12k_dp_rx_process", "file": "drivers/net/wireless/ath/ath12k/dp_rx.c" }, "digest": { "function_hash": "73053199807916834226387921728712779075", "length": 2647.0 }, "deprecated": false }, { "signature_type": "Line", "id": "CVE-2024-49931-9ced9e77", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a4aef827a41cdaf6201bbaf773c1eae4e20e967b", "signature_version": "v1", "target": { "file": "drivers/net/wireless/ath/ath12k/dp_rx.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326387305052383178326936041729458556030", "154052436673159362757616573624586264042", "70754909493169619303423059166754925174", "212542225967071229293622050762907252330" ] }, "deprecated": false }, { "signature_type": "Function", "id": "CVE-2024-49931-acc7a7a2", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a4aef827a41cdaf6201bbaf773c1eae4e20e967b", "signature_version": "v1", "target": { "function": "ath12k_dp_rx_process", "file": "drivers/net/wireless/ath/ath12k/dp_rx.c" }, "digest": { "function_hash": "271352097029217995206018286611314593563", "length": 2576.0 }, "deprecated": false }, { "signature_type": "Function", "id": "CVE-2024-49931-af29fd91", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e106b7ad13c1d246adaa57df73edb8f8b8acb240", "signature_version": "v1", "target": { "function": "ath12k_dp_rx_process", "file": "drivers/net/wireless/ath/ath12k/dp_rx.c" }, "digest": { "function_hash": "161085467746273223275702615600082900727", "length": 2596.0 }, "deprecated": false }, { "signature_type": "Line", "id": "CVE-2024-49931-f6e32b0e", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d0e4274d9dc9f8409d56d622cd3ecf7b6fd49e2f", "signature_version": "v1", "target": { "file": "drivers/net/wireless/ath/ath12k/dp_rx.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326387305052383178326936041729458556030", "154052436673159362757616573624586264042", "70754909493169619303423059166754925174", "52603151664947142230941995469204165931" ] }, "deprecated": false } ]