CVE-2022-49238
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
26/02/2025
Last modified:
25/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855<br />
<br />
Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station<br />
for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI<br />
command sequence, but actually skip all the peer delete operation, then<br />
it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon<br />
peer delete failure") not take effect, and then happened a use-after-free<br />
warning from KASAN. because the peer->sta is not set to NULL and then used<br />
later.<br />
<br />
Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855.<br />
<br />
log of user-after-free:<br />
<br />
[ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]<br />
[ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860<br />
<br />
[ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523<br />
[ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021<br />
[ 534.888716] Call Trace:<br />
[ 534.888720] <br />
[ 534.888726] dump_stack_lvl+0x57/0x7d<br />
[ 534.888736] print_address_description.constprop.0+0x1f/0x170<br />
[ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]<br />
[ 534.888771] kasan_report.cold+0x83/0xdf<br />
[ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]<br />
[ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]<br />
[ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k]<br />
[ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k]<br />
[ 534.888897] ? check_prev_add+0x20f0/0x20f0<br />
[ 534.888922] ? __lock_acquire+0xb72/0x1870<br />
[ 534.888937] ? find_held_lock+0x33/0x110<br />
[ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k]<br />
[ 534.888981] ? rcu_read_unlock+0x40/0x40<br />
[ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k]<br />
[ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k]<br />
[ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]<br />
[ 534.889075] call_timer_fn+0x167/0x4a0<br />
[ 534.889084] ? add_timer_on+0x3b0/0x3b0<br />
[ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370<br />
[ 534.889117] __run_timers.part.0+0x539/0x8b0<br />
[ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]<br />
[ 534.889157] ? call_timer_fn+0x4a0/0x4a0<br />
[ 534.889164] ? mark_lock_irq+0x1c30/0x1c30<br />
[ 534.889173] ? clockevents_program_event+0xdd/0x280<br />
[ 534.889189] ? mark_held_locks+0xa5/0xe0<br />
[ 534.889203] run_timer_softirq+0x97/0x180<br />
[ 534.889213] __do_softirq+0x276/0x86a<br />
[ 534.889230] __irq_exit_rcu+0x11c/0x180<br />
[ 534.889238] irq_exit_rcu+0x5/0x20<br />
[ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0<br />
[ 534.889251] <br />
[ 534.889254] <br />
[ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20<br />
[ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70<br />
[ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee<br />
[ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206<br />
[ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10<br />
[ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001<br />
[ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f<br />
[ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68<br />
[ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000<br />
[ 534.889316] ? mark_lock+0xd0/0x14a0<br />
[ 534.889332] klist_next+0x1d4/0x450<br />
[ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0<br />
[ 534.889350] device_for_each_child+0xa8/0x140<br />
[ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0<br />
[ 534.889370] ? __lock_release+0x4bd/0x9f0<br />
[ 534.889378] ? dpm_suspend+0x26b/0x3f0<br />
[ 534.889390] dpm_wait_for_subordinate+<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.17 (including) | 5.17.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page