CVE-2022-49112
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
14/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mt76: fix monitor mode crash with sdio driver<br />
<br />
mt7921s driver may receive frames with fragment buffers. If there is a<br />
CTS packet received in monitor mode, the payload is 10 bytes only and<br />
need 6 bytes header padding after RXD buffer. However, only RXD in the<br />
first linear buffer, if we pull buffer size RXD-size+6 bytes with<br />
skb_pull(), that would trigger "BUG_ON(skb->len data_len)" in<br />
__skb_pull().<br />
<br />
To avoid the nonlinear buffer issue, enlarge the RXD size from 128 to<br />
256 to make sure all MCU operation in linear buffer.<br />
<br />
[ 52.007562] kernel BUG at include/linux/skbuff.h:2313!<br />
[ 52.007578] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP<br />
[ 52.007987] pc : skb_pull+0x48/0x4c<br />
[ 52.008015] lr : mt7921_queue_rx_skb+0x494/0x890 [mt7921_common]<br />
[ 52.008361] Call trace:<br />
[ 52.008377] skb_pull+0x48/0x4c<br />
[ 52.008400] mt76s_net_worker+0x134/0x1b0 [mt76_sdio 35339a92c6eb7d4bbcc806a1d22f56365565135c]<br />
[ 52.008431] __mt76_worker_fn+0xe8/0x170 [mt76 ef716597d11a77150bc07e3fdd68eeb0f9b56917]<br />
[ 52.008449] kthread+0x148/0x3ac<br />
[ 52.008466] ret_from_fork+0x10/0x30
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.16 (including) | 5.15.34 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 5.16.20 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.17 (including) | 5.17.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page