CVE-2022-50701

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host<br /> <br /> SDIO may need addtional 511 bytes to align bus operation. If the tailroom<br /> of this skb is not big enough, we would access invalid memory region.<br /> For low level operation, increase skb size to keep valid memory access in<br /> SDIO host.<br /> <br /> Error message:<br /> [69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0<br /> [69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451<br /> [69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1<br /> [69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300]<br /> [69.951] Call Trace:<br /> [69.951] <br /> [69.952] dump_stack_lvl+0x49/0x63<br /> [69.952] print_report+0x171/0x4a8<br /> [69.952] kasan_report+0xb4/0x130<br /> [69.952] kasan_check_range+0x149/0x1e0<br /> [69.952] memcpy+0x24/0x70<br /> [69.952] sg_copy_buffer+0xe9/0x1a0<br /> [69.952] sg_copy_to_buffer+0x12/0x20<br /> [69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300]<br /> [69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300]<br /> [69.952] process_one_work+0x7ee/0x1320<br /> [69.952] worker_thread+0x53c/0x1240<br /> [69.952] kthread+0x2b8/0x370<br /> [69.952] ret_from_fork+0x1f/0x30<br /> [69.952] <br /> <br /> [69.952] Allocated by task 854:<br /> [69.952] kasan_save_stack+0x26/0x50<br /> [69.952] kasan_set_track+0x25/0x30<br /> [69.952] kasan_save_alloc_info+0x1b/0x30<br /> [69.952] __kasan_kmalloc+0x87/0xa0<br /> [69.952] __kmalloc_node_track_caller+0x63/0x150<br /> [69.952] kmalloc_reserve+0x31/0xd0<br /> [69.952] __alloc_skb+0xfc/0x2b0<br /> [69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76]<br /> [69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76]<br /> [69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76]<br /> [69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib]<br /> [69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib]<br /> [69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common]<br /> [69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s]<br /> [69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common]<br /> [69.953] process_one_work+0x7ee/0x1320<br /> [69.953] worker_thread+0x53c/0x1240<br /> [69.953] kthread+0x2b8/0x370<br /> [69.953] ret_from_fork+0x1f/0x30<br /> [69.953] The buggy address belongs to the object at ffff88811c9ce800<br /> which belongs to the cache kmalloc-2k of size 2048<br /> [69.953] The buggy address is located 0 bytes to the right of<br /> 2048-byte region [ffff88811c9ce800, ffff88811c9cf000)<br /> <br /> [69.953] Memory state around the buggy address:<br /> [69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> [69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> [69.953] &gt;ffff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> [69.953] ^<br /> [69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> [69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc