Linux Kernel Realtek RTL8192CU Wireless Driver Out-of-Bounds TID Vulnerability

A vulnerability in the Linux kernel's handling of Wi-Fi TIDs (Traffic Identifier) in the Realtek RTL8192CU wireless driver can lead to an out-of-bounds array access. The issue arises in the 'rtl92cu_tx_fill_desc' function, where the TID retrieved from 'ieee80211_get_tid' may exceed the valid range for the 'tids' array, potentially causing undefined behavior. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to undefined behavior, including potential memory corruption, as indicated by a reported array index out-of-bounds error.

Reproduction

The vulnerability can be reproduced by configuring a wireless connection that uses the Realtek RTL8192CU driver. When the driver processes packets, it may retrieve a TID value that is out of range, leading to an array index out-of-bounds error. This can be observed using Undefined Behavior Sanitizer (UBSAN), which will report the out-of-bounds access.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The patch is available in the Linux stable tree.