Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()[EOL][EOL]Robert Morris reported:[EOL][EOL] (If a malicious USB device pretends to be an Intersil p54 wifi[EOL)|interface and generates an eeprom_readback message with a largeEOL] (eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the[EOL)|message beyond the end of priv->eeprom.EOL] ([EOL)|static void p54_rx_eeprom_readback(struct p54_common *priv,EOL] (                                   struct sk_buff *skb)[EOL)|{EOL] (        struct p54_hdr *hdr = (struct p54_hdr *) skb->data;[EOL)|        struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data;EOL] ([EOL)|        if (priv->fw_var >= 0x509) {EOL] (                memcpy(priv->eeprom, eeprom->v2.data,[EOL)|                       le16_to_cpu(eeprom->v2.len));EOL] (        } else {[EOL)|                memcpy(priv->eeprom, eeprom->v1.data,EOL] (                       le16_to_cpu(eeprom->v1.len));[EOL)|        }EOL] ( [...)EOL][EOL]The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom().[EOL]The device is supposed to provide the same length back to the driver.[EOL]But yes, it's possible (like shown in the report) to alter the value[EOL]to something that causes a crash/panic due to overrun.[EOL][EOL]This patch addresses the issue by adding the size to the common device[EOL]context, so p54_rx_eeprom_readback no longer relies on possibly tampered[EOL]values... That said, it also checks if the "firmware" altered the value[EOL]and no longer copies them.[EOL][EOL]The one, small saving grace is: Before the driver tries to read the eeprom,[EOL]it needs to upload >a< firmware. the vendor firmware has a proprietary[EOL]license and as a reason, it is not present on most distributions by[EOL]default.

CREATE(Triage):(User=admin) [CVE-2025-38348 (https://nvd.nist.gov/vuln/detail/CVE-2025-38348)