CVE-2022-50829
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
It is possible that skb is freed in ath9k_htc_rx_msg(), then usb_submit_urb() fails and we try to free skb again. It causes use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes NULL but rx_buf is not freed and there can be a memory leak.
The patch removes unnecessary nskb and makes skb processing more clear: it is supposed that ath9k_htc_rx_msg() either frees old skb or passes its managing to another callback function.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 3deff76095c4ac4252e27c537db3041f619c23a2 < 5e8751a977a49a6e00cce1a8da5ca16da83f9c8c | affected |
| Linux | Linux | 3deff76095c4ac4252e27c537db3041f619c23a2 < f127c2b4c967025e5c3a4ce7e13b79135d46a33d | affected |
| Linux | Linux | 3deff76095c4ac4252e27c537db3041f619c23a2 < 0c8dd2ea4b419da96ab4953e4967e9363e2f8a4f | affected |
| Linux | Linux | 3deff76095c4ac4252e27c537db3041f619c23a2 < 988bd27de2484faf17afe0408db2e3d9e5ac61fc | affected |
| Linux | Linux | 3deff76095c4ac4252e27c537db3041f619c23a2 < 98d9172822dc6f38138333941984bd759a89d419 | affected |
| Linux | Linux | 3deff76095c4ac4252e27c537db3041f619c23a2 < 355f16f756aad0c95cdaa0c14a34ab4137d32815 | affected |
| Linux | Linux | 3deff76095c4ac4252e27c537db3041f619c23a2 < 53b9bb1a00c4285ee7f58a11129dbea015db61bc | affected |
| Linux | Linux | 3deff76095c4ac4252e27c537db3041f619c23a2 < 71fc0ad671a62c494d2aec731baeabd3bfe6c95d | affected |
| Linux | Linux | 3deff76095c4ac4252e27c537db3041f619c23a2 < dd95f2239fc846795fc926787c3ae0ca701c9840 | affected |
| Linux | Linux | 3.0 | affected |
| Linux | Linux | 0 < 3.0 | unaffected |
| Linux | Linux | 4.9.337 <= 4.9.* | unaffected |
| Linux | Linux | 4.14.303 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.270 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.229 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.163 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.86 <= 5.15.* | unaffected |
| Linux | Linux | 6.0.16 <= 6.0.* | unaffected |
| Linux | Linux | 6.1.2 <= 6.1.* | unaffected |
| Linux | Linux | 6.2 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/5e8751a977a49a6e00cce1a8da5ca16da83f9c8c
- https://git.kernel.org/stable/c/f127c2b4c967025e5c3a4ce7e13b79135d46a33d
- https://git.kernel.org/stable/c/0c8dd2ea4b419da96ab4953e4967e9363e2f8a4f
- https://git.kernel.org/stable/c/988bd27de2484faf17afe0408db2e3d9e5ac61fc
- https://git.kernel.org/stable/c/98d9172822dc6f38138333941984bd759a89d419
- https://git.kernel.org/stable/c/355f16f756aad0c95cdaa0c14a34ab4137d32815
- https://git.kernel.org/stable/c/53b9bb1a00c4285ee7f58a11129dbea015db61bc
- https://git.kernel.org/stable/c/71fc0ad671a62c494d2aec731baeabd3bfe6c95d
- https://git.kernel.org/stable/c/dd95f2239fc846795fc926787c3ae0ca701c9840
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.