Karthikeyan Periyasamy

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: The issue is related to an array out-of-bounds access in the SoC stats of the wifi: ath11k module. The `ath11k soc dp stats::hal reo error` array is defined with a maximum size of `DP REO DST RING MAX`. However, the `ath11k dp process rx()` function accesses this array using the REO destination SRNG ring ID, which is incorrect. This leads to out-of-bounds array access. The fix involves modifying the `ath11k dp process rx()` function to use the normal ring ID directly instead of the SRNG ring ID. Recommendations: To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider modifying the `ath11k dp process rx()` function to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: The issue is related to an array out-of-bounds access in the SoC stats of the ath12k wifi driver. The `ath12k soc dp stats::hal reo error` array is defined with a maximum size of `DP REO DST RING MAX`. However, the `ath12k dp rx process()` function accesses this array using the REO destination SRNG ring ID, which is incorrect. This leads to out-of-bounds array access. The fix involves modifying the `ath12k dp rx process()` function to use the normal ring ID directly instead of the SRNG ring ID. Recommendations: To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider modifying the `ath12k dp rx process()` function to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Restrict access to the vulnerable `ath12k soc dp stats::hal reo error` array to minimize the risk of exploitation.