CVE-2024-53189

The channels array in the cfg80211scanrequest has a _countedby attribute attached to it, which points to the nchannels variable. This attribute is used in bounds checking, and if it is not set before the array is filled, then the bounds sanitizer will issue a warning or a kernel panic if CONFIGUBSAN_TRAP is set.

This patch sets the size of allocated memory as the initial value for n_channels. It is updated with the actual number of added elements after the array is filled.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

aa4ec06c455d0200eea0a4361cc58eb5b8bf68c4

Fixed

d4ef643ea78c59c22546046c25dc6e7206267672

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

aa4ec06c455d0200eea0a4361cc58eb5b8bf68c4

Fixed

1a7b62ddf2c7642878c24f0e556041bb58c37527

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

aa4ec06c455d0200eea0a4361cc58eb5b8bf68c4

Fixed

9c46a3a5b394d6d123866aa44436fc2cd342eb0d

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.11.1

v6.11.10

v6.11.2

v6.11.3

v6.11.4

v6.11.5

v6.11.6

v6.11.7

v6.11.8

v6.11.9

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.9

v6.9-rc7

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.11.0

Fixed

6.11.11

Type: ECOSYSTEM
Events: Introduced

6.12.0

Fixed

6.12.2