Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-48875

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
21/08/2024
Last modified:
04/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: sdata can be NULL during AMPDU start<br /> <br /> ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a<br /> deauthentication is ongoing.<br /> <br /> Here a trace triggering the race with the hostapd test<br /> multi_ap_fronthaul_on_ap:<br /> <br /> (gdb) list *drv_ampdu_action+0x46<br /> 0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).<br /> 391 int ret = -EOPNOTSUPP;<br /> 392<br /> 393 might_sleep();<br /> 394<br /> 395 sdata = get_bss_sdata(sdata);<br /> 396 if (!check_sdata_in_driver(sdata))<br /> 397 return -EIO;<br /> 398<br /> 399 trace_drv_ampdu_action(local, sdata, params);<br /> 400<br /> <br /> wlan0: moving STA 02:00:00:00:03:00 to state 3<br /> wlan0: associated<br /> wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)<br /> wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0<br /> wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)<br /> wlan0: moving STA 02:00:00:00:03:00 to state 2<br /> wlan0: moving STA 02:00:00:00:03:00 to state 1<br /> wlan0: Removed STA 02:00:00:00:03:00<br /> wlan0: Destroyed STA 02:00:00:00:03:00<br /> BUG: unable to handle page fault for address: fffffffffffffb48<br /> PGD 11814067 P4D 11814067 PUD 11816067 PMD 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014<br /> Workqueue: phy3 ieee80211_ba_session_work [mac80211]<br /> RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]<br /> Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85<br /> RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287<br /> RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240<br /> RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40<br /> RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001<br /> R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0<br /> R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8<br /> FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0<br /> Call Trace:<br /> <br /> ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]<br /> ieee80211_ba_session_work+0xff/0x2e0 [mac80211]<br /> process_one_work+0x29f/0x620<br /> worker_thread+0x4d/0x3d0<br /> ? process_one_work+0x620/0x620<br /> kthread+0xfb/0x120<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x22/0x30<br />

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.10.165 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.90 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.8 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools