| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Information disclosure when UE receives the RTP packet from the network, while decoding and reassembling the fragments from RTP packet. |
| Memory corruption during video playback when video session open fails with time out error. |
| Information disclosure while exposing internal TA-to-TA communication APIs to HLOS |
| Memory corruption while handling IOCTL calls to set mode. |
| Memory corruption while routing GPR packets between user and root when handling large data packet. |
| Memory corruption while loading an invalid firmware in boot loader. |
| In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix node corruption in ar->arvifs list
In current WLAN recovery code flow, ath11k_core_halt() only
reinitializes the "arvifs" list head. This will cause the
list node immediately following the list head to become an
invalid list node. Because the prev of that node still points
to the list head "arvifs", but the next of the list head "arvifs"
no longer points to that list node.
When a WLAN recovery occurs during the execution of a vif
removal, and it happens before the spin_lock_bh(&ar->data_lock)
in ath11k_mac_op_remove_interface(), list_del() will detect the
previously mentioned situation, thereby triggering a kernel panic.
The fix is to remove and reinitialize all vif list nodes from the
list head "arvifs" during WLAN halt. The reinitialization is to make
the list nodes valid, ensuring that the list_del() in
ath11k_mac_op_remove_interface() can execute normally.
Call trace:
__list_del_entry_valid_or_report+0xb8/0xd0
ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]
drv_remove_interface+0x48/0x194 [mac80211]
ieee80211_do_stop+0x6e0/0x844 [mac80211]
ieee80211_stop+0x44/0x17c [mac80211]
__dev_close_many+0xac/0x150
__dev_change_flags+0x194/0x234
dev_change_flags+0x24/0x6c
devinet_ioctl+0x3a0/0x670
inet_ioctl+0x200/0x248
sock_do_ioctl+0x60/0x118
sock_ioctl+0x274/0x35c
__arm64_sys_ioctl+0xac/0xf0
invoke_syscall+0x48/0x114
...
Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 |
| Memory corruption may occur while attaching VM when the HLOS retains access to VM. |
| Information disclosure may occur while decoding the RTP packet with invalid header extension from network. |
| Transient DOS while processing the EHT operation IE in the received beacon frame. |
| Information disclosure when an invalid RTCP packet is received during a VoLTE/VoWiFi IMS call. |
| Information disclosure may occur while processing goodbye RTCP packet from network. |
| Information disclosure while decoding RTP packet received by UE from the network, when payload length mentioned is greater than the available buffer length. |
| Transient DOS while parsing the EPTM test control message to get the test pattern. |
| Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call. |
| Memory corruption while assigning memory from the source DDR memory(HLOS) to ADSP. |
| memory corruption when an invalid firehose patch command is invoked. |
| Transient DOS when processing the non-transmitted BSSID profile sub-elements present within the MBSSID Information Element (IE) of a beacon frame that is received from over-the-air (OTA). |
| Cryptographic issue while parsing RSA keys in COBR format. |
| Transient DOS when registration accept OTA is received with incorrect ciphering key data IE in Modem. |
