Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49523

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
26/02/2025
Last modified:
17/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ath11k: disable spectral scan during spectral deinit<br /> <br /> When ath11k modules are removed using rmmod with spectral scan enabled,<br /> crash is observed. Different crash trace is observed for each crash.<br /> <br /> Send spectral scan disable WMI command to firmware before cleaning<br /> the spectral dbring in the spectral_deinit API to avoid this crash.<br /> <br /> call trace from one of the crash observed:<br /> [ 1252.880802] Unable to handle kernel NULL pointer dereference at virtual address 00000008<br /> [ 1252.882722] pgd = 0f42e886<br /> [ 1252.890955] [00000008] *pgd=00000000<br /> [ 1252.893478] Internal error: Oops: 5 [#1] PREEMPT SMP ARM<br /> [ 1253.093035] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.89 #0<br /> [ 1253.115261] Hardware name: Generic DT based system<br /> [ 1253.121149] PC is at ath11k_spectral_process_data+0x434/0x574 [ath11k]<br /> [ 1253.125940] LR is at 0x88e31017<br /> [ 1253.132448] pc : [] lr : [] psr: a0000193<br /> [ 1253.135488] sp : 80d01bc8 ip : 00000001 fp : 970e0000<br /> [ 1253.141737] r10: 88e31000 r9 : 970ec000 r8 : 00000080<br /> [ 1253.146946] r7 : 94734040 r6 : a0000113 r5 : 00000057 r4 : 00000000<br /> [ 1253.152159] r3 : e18cb694 r2 : 00000217 r1 : 1df1f000 r0 : 00000001<br /> [ 1253.158755] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user<br /> [ 1253.165266] Control: 10c0383d Table: 5e71006a DAC: 00000055<br /> [ 1253.172472] Process swapper/0 (pid: 0, stack limit = 0x60870141)<br /> [ 1253.458055] [] (ath11k_spectral_process_data [ath11k]) from [] (ath11k_dbring_buffer_release_event+0x214/0x2e4 [ath11k])<br /> [ 1253.466139] [] (ath11k_dbring_buffer_release_event [ath11k]) from [] (ath11k_wmi_tlv_op_rx+0x1840/0x29cc [ath11k])<br /> [ 1253.478807] [] (ath11k_wmi_tlv_op_rx [ath11k]) from [] (ath11k_htc_rx_completion_handler+0x180/0x4e0 [ath11k])<br /> [ 1253.490699] [] (ath11k_htc_rx_completion_handler [ath11k]) from [] (ath11k_ce_per_engine_service+0x2c4/0x3b4 [ath11k])<br /> [ 1253.502386] [] (ath11k_ce_per_engine_service [ath11k]) from [] (ath11k_pci_ce_tasklet+0x28/0x80 [ath11k_pci])<br /> [ 1253.514811] [] (ath11k_pci_ce_tasklet [ath11k_pci]) from [] (tasklet_action_common.constprop.2+0x64/0xe8)<br /> [ 1253.526476] [] (tasklet_action_common.constprop.2) from [] (__do_softirq+0x130/0x2d0)<br /> [ 1253.537756] [] (__do_softirq) from [] (irq_exit+0xcc/0xe8)<br /> [ 1253.547304] [] (irq_exit) from [] (__handle_domain_irq+0x60/0xb4)<br /> [ 1253.554428] [] (__handle_domain_irq) from [] (gic_handle_irq+0x4c/0x90)<br /> [ 1253.562321] [] (gic_handle_irq) from [] (__irq_svc+0x58/0x8c)<br /> <br /> Tested-on: QCN6122 hw1.0 AHB WLAN.HK.2.6.0.1-00851-QCAHKSWPL_SILICONZ-1

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.10.121 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.46 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.17.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.18 (including) 5.18.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools