CVE-2023-52611
wifi: rtw88: sdio: Honor the host max_req_size in the RX path
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: sdio: Honor the host max_req_size in the RX path
Lukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes
with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth
combo card. The error he observed is identical to what has been fixed
in commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RX_REQUEST
bit in rtw_sdio_rx_isr()") but that commit didn't fix Lukas' problem.
Lukas found that disabling or limiting RX aggregation works around the
problem for some time (but does not fully fix it). In the following
discussion a few key topics have been discussed which have an impact on
this problem:
- The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller
which prevents DMA transfers. Instead all transfers need to go through
the controller SRAM which limits transfers to 1536 bytes
- rtw88 chips don't split incoming (RX) packets, so if a big packet is
received this is forwarded to the host in it's original form
- rtw88 chips can do RX aggregation, meaning more multiple incoming
packets can be pulled by the host from the card with one MMC/SDIO
transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH
register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will
be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation
and BIT_EN_PRE_CALC makes the chip honor the limits more effectively)
Use multiple consecutive reads in rtw_sdio_read_port() and limit the
number of bytes which are copied by the host from the card in one
MMC/SDIO transfer. This allows receiving a buffer that's larger than
the hosts max_req_size (number of bytes which can be transferred in
one MMC/SDIO transfer). As a result of this the skb_over_panic error
is gone as the rtw88 driver is now able to receive more than 1536 bytes
from the card (either because the incoming packet is larger than that
or because multiple packets have been aggregated).
In case of an receive errors (-EILSEQ has been observed by Lukas) we
need to drain the remaining data from the card's buffer, otherwise the
card will return corrupt data for the next rtw_sdio_read_port() call.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: rtw88: sdio: respeta el host max_req_size en la ruta RX. Lukas informa errores skb_over_panic en su Banana Pi BPI-CM4 que viene con un SoC Amlogic A311D (G12B) y un RTL8822CS. Tarjeta combinada SDIO wifi/Bluetooth. El error que observó es idéntico a lo que se solucionó en el commit e967229ead0e ("wifi: rtw88: sdio: verifique el bit HISR RX_REQUEST en rtw_sdio_rx_isr()") pero esa confirmación no solucionó el problema de Lukas. Lukas descubrió que deshabilitar o limitar la agregación de RX soluciona el problema durante algún tiempo (pero no lo soluciona por completo). En la siguiente discusión se discutieron algunos temas clave que tienen un impacto en este problema: - El SoC Amlogic A311D (G12B) tiene un error de hardware en el controlador SDIO que impide las transferencias DMA. En lugar de ello, todas las transferencias deben pasar por el controlador SRAM, que limita las transferencias a 1536 bytes. Los chips rtw88 no dividen los paquetes entrantes (RX), por lo que si se recibe un paquete grande, este se reenvía al host en su forma original. Los chips rtw88 pueden realice la agregación RX, lo que significa que el host puede extraer más paquetes entrantes de la tarjeta con una transferencia MMC/SDIO. Esto depende de la configuración en el registro REG_RXDMA_AGG_PG_TH (BIT_RXDMA_AGG_PG_TH limita la cantidad de paquetes que se agregarán, BIT_DMA_AGG_TO_V1 configura un tiempo de espera para la agregación y BIT_EN_PRE_CALC hace que el chip respete los límites de manera más efectiva) Use múltiples lecturas consecutivas en rtw_sdio_read_port() y limite la cantidad de bytes que el host copia desde la tarjeta en una transferencia MMC/SDIO. Esto permite recibir un búfer que es mayor que el max_req_size del host (número de bytes que se pueden transferir en una transferencia MMC/SDIO). Como resultado de esto, el error skb_over_panic desapareció ya que el controlador rtw88 ahora puede recibir más de 1536 bytes de la tarjeta (ya sea porque el paquete entrante es más grande o porque se han agregado varios paquetes). En caso de errores de recepción (Lukas ha observado -EILSEQ), debemos drenar los datos restantes del búfer de la tarjeta; de lo contrario, la tarjeta devolverá datos corruptos para la siguiente llamada a rtw_sdio_read_port().
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-03-06 CVE Reserved
- 2024-03-18 CVE Published
- 2024-03-19 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/65371a3f14e73979958aea0db1e3bb456a296149 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.4 < 6.6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.6.14" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.4 < 6.7.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.7.2" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.4 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.8" | en |
Affected
| ||||||