Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49238

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
26/02/2025
Last modified:
25/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855<br /> <br /> Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station<br /> for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI<br /> command sequence, but actually skip all the peer delete operation, then<br /> it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon<br /> peer delete failure") not take effect, and then happened a use-after-free<br /> warning from KASAN. because the peer-&gt;sta is not set to NULL and then used<br /> later.<br /> <br /> Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855.<br /> <br /> log of user-after-free:<br /> <br /> [ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]<br /> [ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860<br /> <br /> [ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523<br /> [ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021<br /> [ 534.888716] Call Trace:<br /> [ 534.888720] <br /> [ 534.888726] dump_stack_lvl+0x57/0x7d<br /> [ 534.888736] print_address_description.constprop.0+0x1f/0x170<br /> [ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]<br /> [ 534.888771] kasan_report.cold+0x83/0xdf<br /> [ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]<br /> [ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]<br /> [ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k]<br /> [ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k]<br /> [ 534.888897] ? check_prev_add+0x20f0/0x20f0<br /> [ 534.888922] ? __lock_acquire+0xb72/0x1870<br /> [ 534.888937] ? find_held_lock+0x33/0x110<br /> [ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k]<br /> [ 534.888981] ? rcu_read_unlock+0x40/0x40<br /> [ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k]<br /> [ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k]<br /> [ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]<br /> [ 534.889075] call_timer_fn+0x167/0x4a0<br /> [ 534.889084] ? add_timer_on+0x3b0/0x3b0<br /> [ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370<br /> [ 534.889117] __run_timers.part.0+0x539/0x8b0<br /> [ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]<br /> [ 534.889157] ? call_timer_fn+0x4a0/0x4a0<br /> [ 534.889164] ? mark_lock_irq+0x1c30/0x1c30<br /> [ 534.889173] ? clockevents_program_event+0xdd/0x280<br /> [ 534.889189] ? mark_held_locks+0xa5/0xe0<br /> [ 534.889203] run_timer_softirq+0x97/0x180<br /> [ 534.889213] __do_softirq+0x276/0x86a<br /> [ 534.889230] __irq_exit_rcu+0x11c/0x180<br /> [ 534.889238] irq_exit_rcu+0x5/0x20<br /> [ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0<br /> [ 534.889251] <br /> [ 534.889254] <br /> [ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20<br /> [ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70<br /> [ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee<br /> [ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206<br /> [ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10<br /> [ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001<br /> [ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f<br /> [ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68<br /> [ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000<br /> [ 534.889316] ? mark_lock+0xd0/0x14a0<br /> [ 534.889332] klist_next+0x1d4/0x450<br /> [ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0<br /> [ 534.889350] device_for_each_child+0xa8/0x140<br /> [ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0<br /> [ 534.889370] ? __lock_release+0x4bd/0x9f0<br /> [ 534.889378] ? dpm_suspend+0x26b/0x3f0<br /> [ 534.889390] dpm_wait_for_subordinate+<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.17 (including) 5.17.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools