Bug 2347937 (CVE-2022-49533) - CVE-2022-49533 kernel: ath11k: Change max no of active probe SSID and BSSID to fw capability
Summary: CVE-2022-49533 kernel: ath11k: Change max no of active probe SSID and BSSID t...
Keywords:
Status: NEW
Alias: CVE-2022-49533
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-26 03:11 UTC by OSIDB Bzimport
Modified: 2025-02-28 07:34 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-26 03:11:57 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ath11k: Change max no of active probe SSID and BSSID to fw capability

The maximum number of SSIDs in a for active probe requests is currently
reported as 16 (WLAN_SCAN_PARAMS_MAX_SSID) when registering the driver.
The scan_req_params structure only has the capacity to hold 10 SSIDs.
This leads to a buffer overflow which can be triggered from
wpa_supplicant in userspace. When copying the SSIDs into the
scan_req_params structure in the ath11k_mac_op_hw_scan route, it can
overwrite the extraie pointer.

Firmware supports 16 ssid * 4 bssid, for each ssid 4 bssid combo probe
request will be sent, so totally 64 probe requests supported. So
set both max ssid and bssid to 16 and 4 respectively. Remove the
redundant macros of ssid and bssid.

Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01300-QCAHKSWPL_SILICONZ-1
Comment 3 Michal Findra 2025-02-28 07:31:25 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022613-CVE-2022-49533-a0a4@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.