{"id":"CVE-2025-38348","summary":"wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()\n\nRobert Morris reported:\n\n|If a malicious USB device pretends to be an Intersil p54 wifi\n|interface and generates an eeprom_readback message with a large\n|eeprom-\u003ev1.len, p54_rx_eeprom_readback() will copy data from the\n|message beyond the end of priv-\u003eeeprom.\n|\n|static void p54_rx_eeprom_readback(struct p54_common *priv,\n|                                   struct sk_buff *skb)\n|{\n|        struct p54_hdr *hdr = (struct p54_hdr *) skb-\u003edata;\n|        struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr-\u003edata;\n|\n|        if (priv-\u003efw_var \u003e= 0x509) {\n|                memcpy(priv-\u003eeeprom, eeprom-\u003ev2.data,\n|                       le16_to_cpu(eeprom-\u003ev2.len));\n|        } else {\n|                memcpy(priv-\u003eeeprom, eeprom-\u003ev1.data,\n|                       le16_to_cpu(eeprom-\u003ev1.len));\n|        }\n| [...]\n\nThe eeprom-\u003ev{1,2}.len is set by the driver in p54_download_eeprom().\nThe device is supposed to provide the same length back to the driver.\nBut yes, it's possible (like shown in the report) to alter the value\nto something that causes a crash/panic due to overrun.\n\nThis patch addresses the issue by adding the size to the common device\ncontext, so p54_rx_eeprom_readback no longer relies on possibly tampered\nvalues... That said, it also checks if the \"firmware\" altered the value\nand no longer copies them.\n\nThe one, small saving grace is: Before the driver tries to read the eeprom,\nit needs to upload \u003ea\u003c firmware. the vendor firmware has a proprietary\nlicense and as a reason, it is not present on most distributions by\ndefault.","modified":"2026-04-15T23:59:57.062536671Z","published":"2025-07-10T08:15:15.883Z","related":["SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38348.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0e4dc150423b829c35cbcf399481ca11594fc036"},{"type":"WEB","url":"https://git.kernel.org/stable/c/12134f79e53eb56b0b0b7447fa0c512acf6a8422"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1f7f8168abe8cbe845ab8bb557228d44784a6b57"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6d05390d20f110de37d051a3e063ef0a542d01fb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/714afb4c38edd19a057d519c1f9c5d164b43de94"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9701f842031b825e2fd5f22d064166f8f13f6e4d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da1b9a55ff116cb040528ef664c70a4eec03ae99"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f39b2f8c1549a539846e083790fad396ef6cd802"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38348.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38348"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7cb770729ba895f73253dfcd46c3fcba45d896f9"},{"fixed":"12134f79e53eb56b0b0b7447fa0c512acf6a8422"},{"fixed":"9701f842031b825e2fd5f22d064166f8f13f6e4d"},{"fixed":"1f7f8168abe8cbe845ab8bb557228d44784a6b57"},{"fixed":"f39b2f8c1549a539846e083790fad396ef6cd802"},{"fixed":"0e4dc150423b829c35cbcf399481ca11594fc036"},{"fixed":"6d05390d20f110de37d051a3e063ef0a542d01fb"},{"fixed":"714afb4c38edd19a057d519c1f9c5d164b43de94"},{"fixed":"da1b9a55ff116cb040528ef664c70a4eec03ae99"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38348.json"}}],"schema_version":"1.7.5"}