| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061832-CVE-2022-50179-92c5@gregkh> Date: Wed, 18 Jun 2025 13:04:04 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50179: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The problem was in incorrect htc_handle->drv_priv initialization. Probable call trace which can trigger use-after-free: ath9k_htc_probe_device() /* htc_handle->drv_priv = priv; */ ath9k_htc_wait_for_target() <--- Failed ieee80211_free_hw() <--- priv pointer is freed <IRQ> ... ath9k_hif_usb_rx_cb() ath9k_hif_usb_rx_stream() RX_STAT_INC() <--- htc_handle->drv_priv access In order to not add fancy protection for drv_priv we can move htc_handle->drv_priv initialization at the end of the ath9k_htc_probe_device() and add helper macro to make all *_STAT_* macros NULL safe, since syzbot has reported related NULL deref in that macros [1] The Linux kernel CVE team has assigned CVE-2022-50179 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.35 with commit fb9987d0f748c983bb795a86f47522313f701a08 and fixed in 4.14.291 with commit 62bc1ea5c7401d77eaf73d0c6a15f3d2e742856e Issue introduced in 2.6.35 with commit fb9987d0f748c983bb795a86f47522313f701a08 and fixed in 4.19.256 with commit ab7a0ddf5f1cdec63cb21840369873806fc36d80 Issue introduced in 2.6.35 with commit fb9987d0f748c983bb795a86f47522313f701a08 and fixed in 5.4.211 with commit e9e21206b8ea62220b486310c61277e7ebfe7cec Issue introduced in 2.6.35 with commit fb9987d0f748c983bb795a86f47522313f701a08 and fixed in 5.10.137 with commit eccd7c3e2596b574241a7670b5b53f5322f470e5 Issue introduced in 2.6.35 with commit fb9987d0f748c983bb795a86f47522313f701a08 and fixed in 5.15.61 with commit 03ca957c5f7b55660957eda20b5db4110319ac7a Issue introduced in 2.6.35 with commit fb9987d0f748c983bb795a86f47522313f701a08 and fixed in 5.18.18 with commit 6b14ab47937ba441e75e8dbb9fbfc9c55efa41c6 Issue introduced in 2.6.35 with commit fb9987d0f748c983bb795a86f47522313f701a08 and fixed in 5.19.2 with commit b66ebac40f64336ae2d053883bee85261060bd27 Issue introduced in 2.6.35 with commit fb9987d0f748c983bb795a86f47522313f701a08 and fixed in 6.0 with commit 0ac4827f78c7ffe8eef074bc010e7e34bc22f533 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50179 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/ath/ath9k/htc.h drivers/net/wireless/ath/ath9k/htc_drv_init.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/62bc1ea5c7401d77eaf73d0c6a15f3d2e742856e https://git.kernel.org/stable/c/ab7a0ddf5f1cdec63cb21840369873806fc36d80 https://git.kernel.org/stable/c/e9e21206b8ea62220b486310c61277e7ebfe7cec https://git.kernel.org/stable/c/eccd7c3e2596b574241a7670b5b53f5322f470e5 https://git.kernel.org/stable/c/03ca957c5f7b55660957eda20b5db4110319ac7a https://git.kernel.org/stable/c/6b14ab47937ba441e75e8dbb9fbfc9c55efa41c6 https://git.kernel.org/stable/c/b66ebac40f64336ae2d053883bee85261060bd27 https://git.kernel.org/stable/c/0ac4827f78c7ffe8eef074bc010e7e34bc22f533
Powered by blists - more mailing lists