Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47065", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-29T22:33:44.296Z", "datePublished": "2024-02-29T22:37:39.135Z", "dateUpdated": "2025-05-04T07:03:28.649Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:03:28.649Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtw88: Fix array overrun in rtw_get_tx_power_params()\n\nUsing a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the\nfollowing array overrun is logged:\n\n================================================================================\nUBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34\nindex 5 is out of range for type 'u8 [5]'\nCPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651\nHardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014\nWorkqueue: phy0 ieee80211_scan_work [mac80211]\nCall Trace:\n dump_stack+0x64/0x7c\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold+0x43/0x48\n rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core]\n ? rtw_pci_read16+0x20/0x20 [rtw_pci]\n ? check_hw_ready+0x50/0x90 [rtw_core]\n rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core]\n rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core]\n rtw_set_channel+0xab/0x110 [rtw_core]\n rtw_ops_config+0x87/0xc0 [rtw_core]\n ieee80211_hw_config+0x9d/0x130 [mac80211]\n ieee80211_scan_state_set_channel+0x81/0x170 [mac80211]\n ieee80211_scan_work+0x19f/0x2a0 [mac80211]\n process_one_work+0x1dd/0x3a0\n worker_thread+0x49/0x330\n ? rescuer_thread+0x3a0/0x3a0\n kthread+0x134/0x150\n ? kthread_create_worker_on_cpu+0x70/0x70\n ret_from_fork+0x22/0x30\n================================================================================\n\nThe statement where an array is being overrun is shown in the following snippet:\n\n\tif (rate <= DESC_RATE11M)\n\t\ttx_power = pwr_idx_2g->cck_base[group];\n\telse\n====>\t\ttx_power = pwr_idx_2g->bw40_base[group];\n\nThe associated arrays are defined in main.h as follows:\n\nstruct rtw_2g_txpwr_idx {\n\tu8 cck_base[6];\n\tu8 bw40_base[5];\n\tstruct rtw_2g_1s_pwr_idx_diff ht_1s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_2s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_3s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_4s_diff;\n};\n\nThe problem arises because the value of group is 5 for channel 14. The trivial\nincrease in the dimension of bw40_base fails as this struct must match the layout of\nefuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set\nthe group for channel 14 to 4 if rate <= DESC_RATE11M.\n\nThis patch fixes commit fa6dfe6bff24 (\"rtw88: resolve order of tx power setting routines\")"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtw88/phy.c"], "versions": [{"version": "fa6dfe6bff246ddd5be3cfe81637f137acd6c294", "lessThan": "6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb", "status": "affected", "versionType": "git"}, {"version": "fa6dfe6bff246ddd5be3cfe81637f137acd6c294", "lessThan": "95fb153c6027924cda3422120169d1890737f3a0", "status": "affected", "versionType": "git"}, {"version": "fa6dfe6bff246ddd5be3cfe81637f137acd6c294", "lessThan": "5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a", "status": "affected", "versionType": "git"}, {"version": "fa6dfe6bff246ddd5be3cfe81637f137acd6c294", "lessThan": "9cd09722e18a08b6a3d68b8bccfac39ddc22434c", "status": "affected", "versionType": "git"}, {"version": "fa6dfe6bff246ddd5be3cfe81637f137acd6c294", "lessThan": "2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtw88/phy.c"], "versions": [{"version": "5.3", "status": "affected"}, {"version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.119", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.37", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.11.21", "lessThanOrEqual": "5.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.12.4", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.4.119"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.10.37"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.11.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.12.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.13"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb"}, {"url": "https://git.kernel.org/stable/c/95fb153c6027924cda3422120169d1890737f3a0"}, {"url": "https://git.kernel.org/stable/c/5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a"}, {"url": "https://git.kernel.org/stable/c/9cd09722e18a08b6a3d68b8bccfac39ddc22434c"}, {"url": "https://git.kernel.org/stable/c/2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e"}], "title": "rtw88: Fix array overrun in rtw_get_tx_power_params()", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47065", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-06T19:40:45.781001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:13:26.150Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:24:39.558Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/95fb153c6027924cda3422120169d1890737f3a0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9cd09722e18a08b6a3d68b8bccfac39ddc22434c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e", "tags": ["x_transferred"]}]}]}}