CVE-2022-50678

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: fix invalid address access when enabling SCAN log level<br /> <br /> The variable i is changed when setting random MAC address and causes<br /> invalid address access when printing the value of pi-&gt;reqs[i]-&gt;reqid.<br /> <br /> We replace reqs index with ri to fix the issue.<br /> <br /> [ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000<br /> [ 136.737365] Mem abort info:<br /> [ 136.740172] ESR = 0x96000004<br /> [ 136.743359] Exception class = DABT (current EL), IL = 32 bits<br /> [ 136.749294] SET = 0, FnV = 0<br /> [ 136.752481] EA = 0, S1PTW = 0<br /> [ 136.755635] Data abort info:<br /> [ 136.758514] ISV = 0, ISS = 0x00000004<br /> [ 136.762487] CM = 0, WnR = 0<br /> [ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577<br /> [ 136.772265] [0000000000000000] pgd=0000000000000000<br /> [ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP<br /> [ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)<br /> [ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)<br /> [ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1<br /> [ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)<br /> [ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)<br /> [ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]<br /> [ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]<br /> [ 136.828162] sp : ffff00000e9a3880<br /> [ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400<br /> [ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0<br /> [ 136.842098] x25: ffff80002054345c x24: ffff800088d22400<br /> [ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8<br /> [ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400<br /> [ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000<br /> [ 136.863343] x17: 0000000000000000 x16: 0000000000000000<br /> [ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050<br /> [ 136.873966] x13: 0000000000003135 x12: 0000000000000000<br /> [ 136.879277] x11: 0000000000000000 x10: ffff000009a61888<br /> [ 136.884589] x9 : 000000000000000f x8 : 0000000000000008<br /> [ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d<br /> [ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942<br /> [ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8<br /> [ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000<br /> [ 136.911146] Call trace:<br /> [ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]<br /> [ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]<br /> [ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]<br /> [ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211]<br /> [ 136.937298] genl_rcv_msg+0x358/0x3f4<br /> [ 136.940960] netlink_rcv_skb+0xb4/0x118<br /> [ 136.944795] genl_rcv+0x34/0x48<br /> [ 136.947935] netlink_unicast+0x264/0x300<br /> [ 136.951856] netlink_sendmsg+0x2e4/0x33c<br /> [ 136.955781] __sys_sendto+0x120/0x19c