{ "threat_severity" : "Moderate", "public_date" : "2024-12-27T00:00:00Z", "bugzilla" : { "description" : "kernel: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one", "id" : "2334539", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2334539" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-193", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one\nSince the netlink attribute range validation provides inclusive\nchecking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be\nIEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one.\nOne crash stack for demonstration:\n==================================================================\nBUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939\nRead of size 6 at addr 001102080000000c by task fuzzer.386/9508\nCPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x177/0x231 lib/dump_stack.c:106\nprint_report+0xe0/0x750 mm/kasan/report.c:398\nkasan_report+0x139/0x170 mm/kasan/report.c:495\nkasan_check_range+0x287/0x290 mm/kasan/generic.c:189\nmemcpy+0x25/0x60 mm/kasan/shadow.c:65\nieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939\nrdev_tx_control_port net/wireless/rdev-ops.h:761 [inline]\nnl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453\ngenl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756\ngenl_family_rcv_msg net/netlink/genetlink.c:833 [inline]\ngenl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850\nnetlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508\ngenl_rcv+0x24/0x40 net/netlink/genetlink.c:861\nnetlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]\nnetlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352\nnetlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874\nsock_sendmsg_nosec net/socket.c:716 [inline]\n__sock_sendmsg net/socket.c:728 [inline]\n____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499\n___sys_sendmsg+0x21c/0x290 net/socket.c:2553\n__sys_sendmsg net/socket.c:2582 [inline]\n__do_sys_sendmsg net/socket.c:2591 [inline]\n__se_sys_sendmsg+0x19e/0x270 net/socket.c:2589\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x45/0x90 arch/x86/entry/common.c:81\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nUpdate the policy to ensure correct validation." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-56663\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56663\nhttps://lore.kernel.org/linux-cve-announce/2024122752-CVE-2024-56663-66d7@gregkh/T" ], "name" : "CVE-2024-56663", "csaw" : false }