CVE-2022-50709

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()<br /> <br /> syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for<br /> ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with<br /> pkt_len = 0 but ath9k_hif_usb_rx_stream() uses<br /> __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that<br /> pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb<br /> with uninitialized memory and ath9k_htc_rx_msg() is reading from<br /> uninitialized memory.<br /> <br /> Since bytes accessed by ath9k_htc_rx_msg() is not known until<br /> ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid<br /> pkt_len at "if (pkt_len &gt; 2 * MAX_RX_BUF_SIZE) {" line in<br /> ath9k_hif_usb_rx_stream().<br /> <br /> We have two choices. One is to workaround by adding __GFP_ZERO so that<br /> ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let<br /> ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose<br /> the latter.<br /> <br /> Note that I&amp;#39;m not sure threshold condition is correct, for I can&amp;#39;t find<br /> details on possible packet length used by this protocol.