CVE-2021-47633
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 The bug was found during fuzzing. Stacktrace locates it in ath5k_eeprom_convert_pcal_info_5111. When none of the curve is selected in the loop, idx can go up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. pd = &chinfo[pier].pd_curves[idx]; There are many OOB writes using pd later in the code. So I added a sanity check for idx. Checks for other loops involving AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not used outside the loops. The patch is NOT tested with real device. The following is the fuzzing report BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] Write of size 1 at addr ffff8880174a4d60 by task modprobe/214 CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] __kasan_report.cold+0x37/0x7c ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] kasan_report+0xe/0x20 ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k] ath5k_eeprom_init+0x2513/0x6290 [ath5k] ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? usleep_range+0xb8/0x100 ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k] ath5k_hw_init+0xb60/0x1970 [ath5k] ath5k_init_ah+0x6fe/0x2530 [ath5k] ? kasprintf+0xa6/0xe0 ? ath5k_stop+0x140/0x140 [ath5k] ? _dev_notice+0xf6/0xf6 ? apic_timer_interrupt+0xa/0x20 ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k] ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] ? mutex_lock+0x89/0xd0 ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] local_pci_probe+0xd3/0x160 pci_device_probe+0x23f/0x3e0 ? pci_device_remove+0x280/0x280 ? pci_device_remove+0x280/0x280 really_probe+0x209/0x5d0
Security Summary
CVE-2021-47633 is an out-of-bounds write vulnerability in the Linux kernel's ath5k driver, specifically in the ath5k_eeprom_read_pcal_info_5111 function. The issue occurs when no power detector (PD) curve is selected in a loop, causing the index idx to reach AR5K_EEPROM_N_PD_CURVES, which results in an out-of-bounds access to pd = &chinfo[pier].pd_curves[idx]. Subsequent code performs multiple out-of-bounds writes using this pointer. The vulnerability was identified through fuzzing and confirmed by KASAN during module loading with modprobe on kernel version 5.6.0.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. It triggers during ath5k driver initialization, such as when probing a compatible PCI device. Successful exploitation leads to high-impact confidentiality loss through information disclosure and high-impact availability disruption, potentially via memory corruption or kernel crash, as indicated by the CVSS 3.1 score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). The issue is associated with CWE-125.
Mitigation involves applying the upstream kernel patches referenced in the stable commit links, which add a sanity check for the idx value before the out-of-bounds access. These patches resolve the issue in ath5k_eeprom_convert_pcal_info_5111 without requiring changes to other loops using AR5K_EEPROM_N_PD_CURVES.
The vulnerability was discovered via fuzzing, with KASAN reporting a slab-out-of-bounds write during modprobe of the ath5k module. The fix patch was not tested on real hardware. No real-world exploitation has been reported.
Details
- CWE(s)