Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-48876

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
21/08/2024
Last modified:
29/08/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: fix initialization of rx-&gt;link and rx-&gt;link_sta<br /> <br /> There are some codepaths that do not initialize rx-&gt;link_sta properly. This<br /> causes a crash in places which assume that rx-&gt;link_sta is valid if rx-&gt;sta<br /> is valid.<br /> One known instance is triggered by __ieee80211_rx_h_amsdu being called from<br /> fast-rx. It results in a crash like this one:<br /> <br /> BUG: kernel NULL pointer dereference, address: 00000000000000a8<br /> #PF: supervisor write access in kernel mode<br /> #PF: error_code(0x0002) - not-present page PGD 0 P4D 0<br /> Oops: 0002 [#1] PREEMPT SMP PTI<br /> CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G E 6.1.0-debian64x+1.7 #3<br /> Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014<br /> RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211]<br /> Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48<br /> 83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 83 84 d0 a8 00 00 00 01 41 8b 86 c0<br /> 11 00 00 8d 50 fd 83 fa 01<br /> RSP: 0018:ffff999040803b10 EFLAGS: 00010286<br /> RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900<br /> R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000<br /> FS: 0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0<br /> Call Trace:<br /> <br /> __ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211]<br /> ? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]<br /> ? __local_bh_enable_ip+0x3b/0xa0<br /> ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]<br /> ? prepare_transfer+0x109/0x1a0 [xhci_hcd]<br /> ieee80211_rx_list+0xa80/0xda0 [mac80211]<br /> mt76_rx_complete+0x207/0x2e0 [mt76]<br /> mt76_rx_poll_complete+0x357/0x5a0 [mt76]<br /> mt76u_rx_worker+0x4f5/0x600 [mt76_usb]<br /> ? mt76_get_min_avg_rssi+0x140/0x140 [mt76]<br /> __mt76_worker_fn+0x50/0x80 [mt76]<br /> kthread+0xed/0x120<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x22/0x30<br /> <br /> Since the initialization of rx-&gt;link and rx-&gt;link_sta is rather convoluted<br /> and duplicated in many places, clean it up by using a helper function to<br /> set it.<br /> <br /> [remove unnecessary rx-&gt;sta-&gt;sta.mlo check]

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1 (including) 6.1.8 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools