cve/2023/CVE-2023-52611.md

### [CVE-2023-52611](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52611)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=65371a3f14e7%3C%205b5ddf21b978%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In the Linux kernel, the following vulnerability has been resolved:wifi: rtw88: sdio: Honor the host max_req_size in the RX pathLukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comeswith an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetoothcombo card. The error he observed is identical to what has been fixedin commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RX_REQUESTbit in rtw_sdio_rx_isr()") but that commit didn't fix Lukas' problem.Lukas found that disabling or limiting RX aggregation works around theproblem for some time (but does not fully fix it). In the followingdiscussion a few key topics have been discussed which have an impact onthis problem:- The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller  which prevents DMA transfers. Instead all transfers need to go through  the controller SRAM which limits transfers to 1536 bytes- rtw88 chips don't split incoming (RX) packets, so if a big packet is  received this is forwarded to the host in it's original form- rtw88 chips can do RX aggregation, meaning more multiple incoming  packets can be pulled by the host from the card with one MMC/SDIO  transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH  register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will  be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation  and BIT_EN_PRE_CALC makes the chip honor the limits more effectively)Use multiple consecutive reads in rtw_sdio_read_port() and limit thenumber of bytes which are copied by the host from the card in oneMMC/SDIO transfer. This allows receiving a buffer that's larger thanthe hosts max_req_size (number of bytes which can be transferred inone MMC/SDIO transfer). As a result of this the skb_over_panic erroris gone as the rtw88 driver is now able to receive more than 1536 bytesfrom the card (either because the incoming packet is larger than thator because multiple packets have been aggregated).In case of an receive errors (-EILSEQ has been observed by Lukas) weneed to drain the remaining data from the card's buffer, otherwise thecard will return corrupt data for the next rtw_sdio_read_port() call.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/NaInSec/CVE-LIST
Update CVE sources 2024-05-28 08:49 2024-05-28 08:49:17 +00:00			`### [CVE-2023-52611](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52611)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=65371a3f14e7%3C%205b5ddf21b978%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:wifi: rtw88: sdio: Honor the host max_req_size in the RX pathLukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comeswith an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetoothcombo card. The error he observed is identical to what has been fixedin commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RX_REQUESTbit in rtw_sdio_rx_isr()") but that commit didn't fix Lukas' problem.Lukas found that disabling or limiting RX aggregation works around theproblem for some time (but does not fully fix it). In the followingdiscussion a few key topics have been discussed which have an impact onthis problem:- The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller which prevents DMA transfers. Instead all transfers need to go through the controller SRAM which limits transfers to 1536 bytes- rtw88 chips don't split incoming (RX) packets, so if a big packet is received this is forwarded to the host in it's original form- rtw88 chips can do RX aggregation, meaning more multiple incoming packets can be pulled by the host from the card with one MMC/SDIO transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation and BIT_EN_PRE_CALC makes the chip honor the limits more effectively)Use multiple consecutive reads in rtw_sdio_read_port() and limit thenumber of bytes which are copied by the host from the card in oneMMC/SDIO transfer. This allows receiving a buffer that's larger thanthe hosts max_req_size (number of bytes which can be transferred inone MMC/SDIO transfer). As a result of this the skb_over_panic erroris gone as the rtw88 driver is now able to receive more than 1536 bytesfrom the card (either because the incoming packet is larger than thator because multiple packets have been aggregated).In case of an receive errors (-EILSEQ has been observed by Lukas) weneed to drain the remaining data from the card's buffer, otherwise thecard will return corrupt data for the next rtw_sdio_read_port() call.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/NaInSec/CVE-LIST`