Bug 2426122 (CVE-2023-54300) - CVE-2023-54300 kernel: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
Summary: CVE-2023-54300 kernel: wifi: ath9k: avoid referencing uninit memory in ath9k_...
Keywords:
Status: NEW
Alias: CVE-2023-54300
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-30 13:10 UTC by OSIDB Bzimport
Modified: 2025-12-31 07:41 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-30 13:10:37 UTC 
In the Linux kernel, the following vulnerability has been resolved:

wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx

For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid
uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should
validate pkt_len before accessing the SKB.

For example, the obtained SKB may have been badly constructed with
pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr
but after being processed in ath9k_htc_rx_msg() and passed to
ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI
command header which should be located inside its data payload.

Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit
memory can be referenced.

Tested on Qualcomm Atheros Communications AR9271 802.11n .

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Comment 1 Alexander B 2025-12-31 07:36:59 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025123032-CVE-2023-54300-5746@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.