cve/published/2025/CVE-2025-37990.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37990: wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()

 The function brcmf_usb_dl_writeimage() calls the function
 brcmf_usb_dl_cmd() but dose not check its return value. The
 'state.state' and the 'state.bytes' are uninitialized if the
 function brcmf_usb_dl_cmd() fails. It is dangerous to use
 uninitialized variables in the conditions.

 Add error handling for brcmf_usb_dl_cmd() to jump to error
 handling path if the brcmf_usb_dl_cmd() fails and the
 'state.state' and the 'state.bytes' are uninitialized.

 Improve the error message to report more detailed error
 information.

 The Linux kernel CVE team has assigned CVE-2025-37990 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 5.4.294 with commit 972bf75e53f778c78039c5d139dd47443a6d66a1
 	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 5.10.238 with commit 62a4f2955d9a1745bdb410bf83fb16666d8865d6
 	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 5.15.182 with commit 508be7c001437bacad7b9a43f08a723887bcd1ea
 	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 6.1.138 with commit 524b70441baba453b193c418e3142bd31059cc1f
 	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 6.6.90 with commit 08424a0922fb9e32a19b09d852ee87fb6c497538
 	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 6.12.28 with commit bdb435ef9815b1ae28eefffa01c6959d0fcf1fa7
 	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 6.14.6 with commit fa9b9f02212574ee1867fbefb0a675362a71b31d
 	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 6.15 with commit 8e089e7b585d95122c8122d732d1d5ef8f879396

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37990
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/972bf75e53f778c78039c5d139dd47443a6d66a1
 	https://git.kernel.org/stable/c/62a4f2955d9a1745bdb410bf83fb16666d8865d6
 	https://git.kernel.org/stable/c/508be7c001437bacad7b9a43f08a723887bcd1ea
 	https://git.kernel.org/stable/c/524b70441baba453b193c418e3142bd31059cc1f
 	https://git.kernel.org/stable/c/08424a0922fb9e32a19b09d852ee87fb6c497538
 	https://git.kernel.org/stable/c/bdb435ef9815b1ae28eefffa01c6959d0fcf1fa7
 	https://git.kernel.org/stable/c/fa9b9f02212574ee1867fbefb0a675362a71b31d
 	https://git.kernel.org/stable/c/8e089e7b585d95122c8122d732d1d5ef8f879396
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37990: wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()

	The function brcmf_usb_dl_writeimage() calls the function
	brcmf_usb_dl_cmd() but dose not check its return value. The
	'state.state' and the 'state.bytes' are uninitialized if the
	function brcmf_usb_dl_cmd() fails. It is dangerous to use
	uninitialized variables in the conditions.

	Add error handling for brcmf_usb_dl_cmd() to jump to error
	handling path if the brcmf_usb_dl_cmd() fails and the
	'state.state' and the 'state.bytes' are uninitialized.

	Improve the error message to report more detailed error
	information.

	The Linux kernel CVE team has assigned CVE-2025-37990 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 5.4.294 with commit 972bf75e53f778c78039c5d139dd47443a6d66a1
	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 5.10.238 with commit 62a4f2955d9a1745bdb410bf83fb16666d8865d6
	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 5.15.182 with commit 508be7c001437bacad7b9a43f08a723887bcd1ea
	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 6.1.138 with commit 524b70441baba453b193c418e3142bd31059cc1f
	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 6.6.90 with commit 08424a0922fb9e32a19b09d852ee87fb6c497538
	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 6.12.28 with commit bdb435ef9815b1ae28eefffa01c6959d0fcf1fa7
	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 6.14.6 with commit fa9b9f02212574ee1867fbefb0a675362a71b31d
	Issue introduced in 3.4 with commit 71bb244ba2fd5390eefe4ee9054abdb3f8b05922 and fixed in 6.15 with commit 8e089e7b585d95122c8122d732d1d5ef8f879396

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37990
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/972bf75e53f778c78039c5d139dd47443a6d66a1
	https://git.kernel.org/stable/c/62a4f2955d9a1745bdb410bf83fb16666d8865d6
	https://git.kernel.org/stable/c/508be7c001437bacad7b9a43f08a723887bcd1ea
	https://git.kernel.org/stable/c/524b70441baba453b193c418e3142bd31059cc1f
	https://git.kernel.org/stable/c/08424a0922fb9e32a19b09d852ee87fb6c497538
	https://git.kernel.org/stable/c/bdb435ef9815b1ae28eefffa01c6959d0fcf1fa7
	https://git.kernel.org/stable/c/fa9b9f02212574ee1867fbefb0a675362a71b31d
	https://git.kernel.org/stable/c/8e089e7b585d95122c8122d732d1d5ef8f879396