ghsa-7vp7-2c88-3j3x
Vulnerability from github
Published
2025-07-10 09:32
Modified
2025-07-10 09:32
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()

Robert Morris reported:

|If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eeprom_readback message with a large |eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the |message beyond the end of priv->eeprom. | |static void p54_rx_eeprom_readback(struct p54_common priv, | struct sk_buff skb) |{ | struct p54_hdr hdr = (struct p54_hdr ) skb->data; | struct p54_eeprom_lm86 eeprom = (struct p54_eeprom_lm86 ) hdr->data; | | if (priv->fw_var >= 0x509) { | memcpy(priv->eeprom, eeprom->v2.data, | le16_to_cpu(eeprom->v2.len)); | } else { | memcpy(priv->eeprom, eeprom->v1.data, | le16_to_cpu(eeprom->v1.len)); | } | [...]

The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom(). The device is supposed to provide the same length back to the driver. But yes, it's possible (like shown in the report) to alter the value to something that causes a crash/panic due to overrun.

This patch addresses the issue by adding the size to the common device context, so p54_rx_eeprom_readback no longer relies on possibly tampered values... That said, it also checks if the "firmware" altered the value and no longer copies them.

The one, small saving grace is: Before the driver tries to read the eeprom, it needs to upload >a< firmware. the vendor firmware has a proprietary license and as a reason, it is not present on most distributions by default.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38348"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T09:15:29Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()\n\nRobert Morris reported:\n\n|If a malicious USB device pretends to be an Intersil p54 wifi\n|interface and generates an eeprom_readback message with a large\n|eeprom-\u003ev1.len, p54_rx_eeprom_readback() will copy data from the\n|message beyond the end of priv-\u003eeeprom.\n|\n|static void p54_rx_eeprom_readback(struct p54_common *priv,\n|                                   struct sk_buff *skb)\n|{\n|        struct p54_hdr *hdr = (struct p54_hdr *) skb-\u003edata;\n|        struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr-\u003edata;\n|\n|        if (priv-\u003efw_var \u003e= 0x509) {\n|                memcpy(priv-\u003eeeprom, eeprom-\u003ev2.data,\n|                       le16_to_cpu(eeprom-\u003ev2.len));\n|        } else {\n|                memcpy(priv-\u003eeeprom, eeprom-\u003ev1.data,\n|                       le16_to_cpu(eeprom-\u003ev1.len));\n|        }\n| [...]\n\nThe eeprom-\u003ev{1,2}.len is set by the driver in p54_download_eeprom().\nThe device is supposed to provide the same length back to the driver.\nBut yes, it\u0027s possible (like shown in the report) to alter the value\nto something that causes a crash/panic due to overrun.\n\nThis patch addresses the issue by adding the size to the common device\ncontext, so p54_rx_eeprom_readback no longer relies on possibly tampered\nvalues... That said, it also checks if the \"firmware\" altered the value\nand no longer copies them.\n\nThe one, small saving grace is: Before the driver tries to read the eeprom,\nit needs to upload \u003ea\u003c firmware. the vendor firmware has a proprietary\nlicense and as a reason, it is not present on most distributions by\ndefault.",
  "id": "GHSA-7vp7-2c88-3j3x",
  "modified": "2025-07-10T09:32:32Z",
  "published": "2025-07-10T09:32:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38348"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0e4dc150423b829c35cbcf399481ca11594fc036"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12134f79e53eb56b0b0b7447fa0c512acf6a8422"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f7f8168abe8cbe845ab8bb557228d44784a6b57"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d05390d20f110de37d051a3e063ef0a542d01fb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/714afb4c38edd19a057d519c1f9c5d164b43de94"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9701f842031b825e2fd5f22d064166f8f13f6e4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da1b9a55ff116cb040528ef664c70a4eec03ae99"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f39b2f8c1549a539846e083790fad396ef6cd802"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.