CVE-2022-49235

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
18/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ath9k_htc: fix uninit value bugs<br /> <br /> Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing<br /> field initialization.<br /> <br /> In htc_connect_service() svc_meta_len and pad are not initialized. Based<br /> on code it looks like in current skb there is no service data, so simply<br /> initialize svc_meta_len to 0.<br /> <br /> htc_issue_send() does not initialize htc_frame_hdr::control array. Based<br /> on firmware code, it will initialize it by itself, so simply zero whole<br /> array to make KMSAN happy<br /> <br /> Fail logs:<br /> <br /> BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430<br /> usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430<br /> hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]<br /> hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479<br /> htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]<br /> htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275<br /> ...<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slab.h:524 [inline]<br /> slab_alloc_node mm/slub.c:3251 [inline]<br /> __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974<br /> kmalloc_reserve net/core/skbuff.c:354 [inline]<br /> __alloc_skb+0x545/0xf90 net/core/skbuff.c:426<br /> alloc_skb include/linux/skbuff.h:1126 [inline]<br /> htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258<br /> ...<br /> <br /> Bytes 4-7 of 18 are uninitialized<br /> Memory access of size 18 starts at ffff888027377e00<br /> <br /> BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430<br /> usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430<br /> hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]<br /> hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479<br /> htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]<br /> htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275<br /> ...<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slab.h:524 [inline]<br /> slab_alloc_node mm/slub.c:3251 [inline]<br /> __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974<br /> kmalloc_reserve net/core/skbuff.c:354 [inline]<br /> __alloc_skb+0x545/0xf90 net/core/skbuff.c:426<br /> alloc_skb include/linux/skbuff.h:1126 [inline]<br /> htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258<br /> ...<br /> <br /> Bytes 16-17 of 18 are uninitialized<br /> Memory access of size 18 starts at ffff888027377e00

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.35 (including) 4.9.311 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.10 (including) 4.14.276 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.238 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.189 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.110 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.33 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.16.19 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.17 (including) 5.17.2 (excluding)