CVE-2022-50829

Summary

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()

It is possible that skb is freed in ath9k_htc_rx_msg(), then usb_submit_urb() fails and we try to free skb again. It causes use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes NULL but rx_buf is not freed and there can be a memory leak.

The patch removes unnecessary nskb and makes skb processing more clear: it is supposed that ath9k_htc_rx_msg() either frees old skb or passes its managing to another callback function.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux3deff76095c4ac4252e27c537db3041f619c23a2 < 5e8751a977a49a6e00cce1a8da5ca16da83f9c8caffected
LinuxLinux3deff76095c4ac4252e27c537db3041f619c23a2 < f127c2b4c967025e5c3a4ce7e13b79135d46a33daffected
LinuxLinux3deff76095c4ac4252e27c537db3041f619c23a2 < 0c8dd2ea4b419da96ab4953e4967e9363e2f8a4faffected
LinuxLinux3deff76095c4ac4252e27c537db3041f619c23a2 < 988bd27de2484faf17afe0408db2e3d9e5ac61fcaffected
LinuxLinux3deff76095c4ac4252e27c537db3041f619c23a2 < 98d9172822dc6f38138333941984bd759a89d419affected
LinuxLinux3deff76095c4ac4252e27c537db3041f619c23a2 < 355f16f756aad0c95cdaa0c14a34ab4137d32815affected
LinuxLinux3deff76095c4ac4252e27c537db3041f619c23a2 < 53b9bb1a00c4285ee7f58a11129dbea015db61bcaffected
LinuxLinux3deff76095c4ac4252e27c537db3041f619c23a2 < 71fc0ad671a62c494d2aec731baeabd3bfe6c95daffected
LinuxLinux3deff76095c4ac4252e27c537db3041f619c23a2 < dd95f2239fc846795fc926787c3ae0ca701c9840affected
LinuxLinux3.0affected
LinuxLinux0 < 3.0unaffected
LinuxLinux4.9.337 <= 4.9.*unaffected
LinuxLinux4.14.303 <= 4.14.*unaffected
LinuxLinux4.19.270 <= 4.19.*unaffected
LinuxLinux5.4.229 <= 5.4.*unaffected
LinuxLinux5.10.163 <= 5.10.*unaffected
LinuxLinux5.15.86 <= 5.15.*unaffected
LinuxLinux6.0.16 <= 6.0.*unaffected
LinuxLinux6.1.2 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

References