{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47065","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-29T22:33:44.296Z","datePublished":"2024-02-29T22:37:39.135Z","dateUpdated":"2025-05-04T07:03:28.649Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:03:28.649Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrtw88: Fix array overrun in rtw_get_tx_power_params()\n\nUsing a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the\nfollowing array overrun is logged:\n\n================================================================================\nUBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34\nindex 5 is out of range for type 'u8 [5]'\nCPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G           O      5.12.0-rc5-00086-gd88bba47038e-dirty #651\nHardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50   09/29/2014\nWorkqueue: phy0 ieee80211_scan_work [mac80211]\nCall Trace:\n dump_stack+0x64/0x7c\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold+0x43/0x48\n rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core]\n ? rtw_pci_read16+0x20/0x20 [rtw_pci]\n ? check_hw_ready+0x50/0x90 [rtw_core]\n rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core]\n rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core]\n rtw_set_channel+0xab/0x110 [rtw_core]\n rtw_ops_config+0x87/0xc0 [rtw_core]\n ieee80211_hw_config+0x9d/0x130 [mac80211]\n ieee80211_scan_state_set_channel+0x81/0x170 [mac80211]\n ieee80211_scan_work+0x19f/0x2a0 [mac80211]\n process_one_work+0x1dd/0x3a0\n worker_thread+0x49/0x330\n ? rescuer_thread+0x3a0/0x3a0\n kthread+0x134/0x150\n ? kthread_create_worker_on_cpu+0x70/0x70\n ret_from_fork+0x22/0x30\n================================================================================\n\nThe statement where an array is being overrun is shown in the following snippet:\n\n\tif (rate <= DESC_RATE11M)\n\t\ttx_power = pwr_idx_2g->cck_base[group];\n\telse\n====>\t\ttx_power = pwr_idx_2g->bw40_base[group];\n\nThe associated arrays are defined in main.h as follows:\n\nstruct rtw_2g_txpwr_idx {\n\tu8 cck_base[6];\n\tu8 bw40_base[5];\n\tstruct rtw_2g_1s_pwr_idx_diff ht_1s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_2s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_3s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_4s_diff;\n};\n\nThe problem arises because the value of group is 5 for channel 14. The trivial\nincrease in the dimension of bw40_base fails as this struct must match the layout of\nefuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set\nthe group for channel 14 to 4 if rate <= DESC_RATE11M.\n\nThis patch fixes commit fa6dfe6bff24 (\"rtw88: resolve order of tx power setting routines\")"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/realtek/rtw88/phy.c"],"versions":[{"version":"fa6dfe6bff246ddd5be3cfe81637f137acd6c294","lessThan":"6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb","status":"affected","versionType":"git"},{"version":"fa6dfe6bff246ddd5be3cfe81637f137acd6c294","lessThan":"95fb153c6027924cda3422120169d1890737f3a0","status":"affected","versionType":"git"},{"version":"fa6dfe6bff246ddd5be3cfe81637f137acd6c294","lessThan":"5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a","status":"affected","versionType":"git"},{"version":"fa6dfe6bff246ddd5be3cfe81637f137acd6c294","lessThan":"9cd09722e18a08b6a3d68b8bccfac39ddc22434c","status":"affected","versionType":"git"},{"version":"fa6dfe6bff246ddd5be3cfe81637f137acd6c294","lessThan":"2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/realtek/rtw88/phy.c"],"versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","status":"unaffected","versionType":"semver"},{"version":"5.4.119","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.37","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.11.21","lessThanOrEqual":"5.11.*","status":"unaffected","versionType":"semver"},{"version":"5.12.4","lessThanOrEqual":"5.12.*","status":"unaffected","versionType":"semver"},{"version":"5.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.4.119"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.10.37"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.11.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.12.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb"},{"url":"https://git.kernel.org/stable/c/95fb153c6027924cda3422120169d1890737f3a0"},{"url":"https://git.kernel.org/stable/c/5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a"},{"url":"https://git.kernel.org/stable/c/9cd09722e18a08b6a3d68b8bccfac39ddc22434c"},{"url":"https://git.kernel.org/stable/c/2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e"}],"title":"rtw88: Fix array overrun in rtw_get_tx_power_params()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-47065","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-03-06T19:40:45.781001Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:13:26.150Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:24:39.558Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/95fb153c6027924cda3422120169d1890737f3a0","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/9cd09722e18a08b6a3d68b8bccfac39ddc22434c","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e","tags":["x_transferred"]}]}]}}