CVE-2022-49235
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
18/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ath9k_htc: fix uninit value bugs<br />
<br />
Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing<br />
field initialization.<br />
<br />
In htc_connect_service() svc_meta_len and pad are not initialized. Based<br />
on code it looks like in current skb there is no service data, so simply<br />
initialize svc_meta_len to 0.<br />
<br />
htc_issue_send() does not initialize htc_frame_hdr::control array. Based<br />
on firmware code, it will initialize it by itself, so simply zero whole<br />
array to make KMSAN happy<br />
<br />
Fail logs:<br />
<br />
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430<br />
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430<br />
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]<br />
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479<br />
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]<br />
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275<br />
...<br />
<br />
Uninit was created at:<br />
slab_post_alloc_hook mm/slab.h:524 [inline]<br />
slab_alloc_node mm/slub.c:3251 [inline]<br />
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974<br />
kmalloc_reserve net/core/skbuff.c:354 [inline]<br />
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426<br />
alloc_skb include/linux/skbuff.h:1126 [inline]<br />
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258<br />
...<br />
<br />
Bytes 4-7 of 18 are uninitialized<br />
Memory access of size 18 starts at ffff888027377e00<br />
<br />
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430<br />
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430<br />
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]<br />
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479<br />
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]<br />
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275<br />
...<br />
<br />
Uninit was created at:<br />
slab_post_alloc_hook mm/slab.h:524 [inline]<br />
slab_alloc_node mm/slub.c:3251 [inline]<br />
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974<br />
kmalloc_reserve net/core/skbuff.c:354 [inline]<br />
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426<br />
alloc_skb include/linux/skbuff.h:1126 [inline]<br />
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258<br />
...<br />
<br />
Bytes 16-17 of 18 are uninitialized<br />
Memory access of size 18 starts at ffff888027377e00
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.35 (including) | 4.9.311 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.14.276 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.238 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.189 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.110 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.33 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 5.16.19 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.17 (including) | 5.17.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0b700f7d06492de34964b6f414120043364f8191
- https://git.kernel.org/stable/c/11f11ac281f0c0b363d2940204f28bae0422ed71
- https://git.kernel.org/stable/c/4d244b731188e0b63fc40a9d2dec72e9181fb37c
- https://git.kernel.org/stable/c/5abf2b761b998063f5e2bae93fd4ab10e2a80f10
- https://git.kernel.org/stable/c/5c2a6a8daa17a3f65b38b9a5574bb362c13fa1d9
- https://git.kernel.org/stable/c/7da6169b6ebb75816b57be3beb829afa74f3b4b6
- https://git.kernel.org/stable/c/d1e0df1c57bd30871dd1c855742a7c346dbca853
- https://git.kernel.org/stable/c/e352acdd378e9263cc4c6018e588f2dac7161d07
- https://git.kernel.org/stable/c/ee4222052a76559c20e821bc3519cefb58b6d3e9