cve/published/2023/CVE-2023-52611.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52611: wifi: rtw88: sdio: Honor the host max_req_size in the RX path

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: rtw88: sdio: Honor the host max_req_size in the RX path

 Lukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes
 with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth
 combo card. The error he observed is identical to what has been fixed
 in commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RX_REQUEST
 bit in rtw_sdio_rx_isr()") but that commit didn't fix Lukas' problem.

 Lukas found that disabling or limiting RX aggregation works around the
 problem for some time (but does not fully fix it). In the following
 discussion a few key topics have been discussed which have an impact on
 this problem:
 - The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller
   which prevents DMA transfers. Instead all transfers need to go through
   the controller SRAM which limits transfers to 1536 bytes
 - rtw88 chips don't split incoming (RX) packets, so if a big packet is
   received this is forwarded to the host in it's original form
 - rtw88 chips can do RX aggregation, meaning more multiple incoming
   packets can be pulled by the host from the card with one MMC/SDIO
   transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH
   register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will
   be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation
   and BIT_EN_PRE_CALC makes the chip honor the limits more effectively)

 Use multiple consecutive reads in rtw_sdio_read_port() and limit the
 number of bytes which are copied by the host from the card in one
 MMC/SDIO transfer. This allows receiving a buffer that's larger than
 the hosts max_req_size (number of bytes which can be transferred in
 one MMC/SDIO transfer). As a result of this the skb_over_panic error
 is gone as the rtw88 driver is now able to receive more than 1536 bytes
 from the card (either because the incoming packet is larger than that
 or because multiple packets have been aggregated).

 In case of an receive errors (-EILSEQ has been observed by Lukas) we
 need to drain the remaining data from the card's buffer, otherwise the
 card will return corrupt data for the next rtw_sdio_read_port() call.

 The Linux kernel CVE team has assigned CVE-2023-52611 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit 65371a3f14e73979958aea0db1e3bb456a296149 and fixed in 6.6.14 with commit 5b5ddf21b978ec315cab9d9e7e6ac7374791a8c7
 	Issue introduced in 6.4 with commit 65371a3f14e73979958aea0db1e3bb456a296149 and fixed in 6.7.2 with commit 0e9ffff72a0674cd6656314dbd99cdd2123a3030
 	Issue introduced in 6.4 with commit 65371a3f14e73979958aea0db1e3bb456a296149 and fixed in 6.8 with commit 00384f565a91c08c4bedae167f749b093d10e3fe

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52611
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/realtek/rtw88/sdio.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5b5ddf21b978ec315cab9d9e7e6ac7374791a8c7
 	https://git.kernel.org/stable/c/0e9ffff72a0674cd6656314dbd99cdd2123a3030
 	https://git.kernel.org/stable/c/00384f565a91c08c4bedae167f749b093d10e3fe
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52611: wifi: rtw88: sdio: Honor the host max_req_size in the RX path

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: rtw88: sdio: Honor the host max_req_size in the RX path

	Lukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes
	with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth
	combo card. The error he observed is identical to what has been fixed
	in commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RX_REQUEST
	bit in rtw_sdio_rx_isr()") but that commit didn't fix Lukas' problem.

	Lukas found that disabling or limiting RX aggregation works around the
	problem for some time (but does not fully fix it). In the following
	discussion a few key topics have been discussed which have an impact on
	this problem:
	- The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller
	which prevents DMA transfers. Instead all transfers need to go through
	the controller SRAM which limits transfers to 1536 bytes
	- rtw88 chips don't split incoming (RX) packets, so if a big packet is
	received this is forwarded to the host in it's original form
	- rtw88 chips can do RX aggregation, meaning more multiple incoming
	packets can be pulled by the host from the card with one MMC/SDIO
	transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH
	register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will
	be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation
	and BIT_EN_PRE_CALC makes the chip honor the limits more effectively)

	Use multiple consecutive reads in rtw_sdio_read_port() and limit the
	number of bytes which are copied by the host from the card in one
	MMC/SDIO transfer. This allows receiving a buffer that's larger than
	the hosts max_req_size (number of bytes which can be transferred in
	one MMC/SDIO transfer). As a result of this the skb_over_panic error
	is gone as the rtw88 driver is now able to receive more than 1536 bytes
	from the card (either because the incoming packet is larger than that
	or because multiple packets have been aggregated).

	In case of an receive errors (-EILSEQ has been observed by Lukas) we
	need to drain the remaining data from the card's buffer, otherwise the
	card will return corrupt data for the next rtw_sdio_read_port() call.

	The Linux kernel CVE team has assigned CVE-2023-52611 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit 65371a3f14e73979958aea0db1e3bb456a296149 and fixed in 6.6.14 with commit 5b5ddf21b978ec315cab9d9e7e6ac7374791a8c7
	Issue introduced in 6.4 with commit 65371a3f14e73979958aea0db1e3bb456a296149 and fixed in 6.7.2 with commit 0e9ffff72a0674cd6656314dbd99cdd2123a3030
	Issue introduced in 6.4 with commit 65371a3f14e73979958aea0db1e3bb456a296149 and fixed in 6.8 with commit 00384f565a91c08c4bedae167f749b093d10e3fe

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52611
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/realtek/rtw88/sdio.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5b5ddf21b978ec315cab9d9e7e6ac7374791a8c7
	https://git.kernel.org/stable/c/0e9ffff72a0674cd6656314dbd99cdd2123a3030
	https://git.kernel.org/stable/c/00384f565a91c08c4bedae167f749b093d10e3fe