Fixed
Created: Aug 17, 2025
Updated: Aug 28, 2025
Resolved Date: Aug 28, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()[EOL][EOL]There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For[EOL]example, the following is possible:[EOL][EOL] \tT0\t\t\t \t\tT1[EOL]zd_mac_tx_to_dev()[EOL] /* len == skb_queue_len(q) */[EOL] while (len > ZD_MAC_MAX_ACK_WAITERS) {[EOL][EOL]\t\t\t\t\t filter_ack()[EOL]\t\t\t\t\t spin_lock_irqsave(&q->lock, flags);[EOL]\t\t\t\t\t /* position == skb_queue_len(q) */[EOL]\t\t\t\t\t for (i=1; i<position; i++)[EOL]\t\t\t\t \t skb = __skb_dequeue(q)[EOL][EOL]\t\t\t\t\t if (mac->type == NL80211_IFTYPE_AP)[EOL]\t\t\t\t\t skb = __skb_dequeue(q);[EOL]\t\t\t\t\t spin_unlock_irqrestore(&q->lock, flags);[EOL][EOL] skb_dequeue() -> NULL[EOL][EOL]Since there is a small gap between checking skb queue length and skb being[EOL]unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.[EOL]Then the pointer is passed to zd_mac_tx_status() where it is dereferenced.[EOL][EOL]In order to avoid potential NULL pointer dereference due to situations like[EOL]above, check if skb is not NULL before passing it to zd_mac_tx_status().[EOL][EOL]Found by Linux Verification Center (linuxtesting.org) with SVACE.
CREATE(Triage):(User=pbi-cn) [CVE-2025-38513 (https://nvd.nist.gov/vuln/detail/CVE-2025-38513)
