| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061832-CVE-2022-50180-06ed@gregkh> Date: Wed, 18 Jun 2025 13:04:05 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50180: wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() As a result of the execution of the inner while loop, the value of 'idx' can be equal to LINK_QUAL_MAX_RETRY_NUM. However, this is not checked after the loop and 'idx' is used to write the LINK_QUAL_MAX_RETRY_NUM size array 'lq_cmd->rs_table[idx]' below in the outer loop. The fix is to check the new value of 'idx' inside the nested loop, and break both loops if index equals the size. Checking it at the start is now pointless, so let's remove it. Detected using the static analysis tool - Svace. The Linux kernel CVE team has assigned CVE-2022-50180 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.39 with commit be663ab67077fac8e23eb8e231a8c1c94cb32e54 and fixed in 4.14.291 with commit f59e7534e2b11d7c018a412c293897e8417addd4 Issue introduced in 2.6.39 with commit be663ab67077fac8e23eb8e231a8c1c94cb32e54 and fixed in 4.19.256 with commit 20be29b99dfed089fe7b8698cd18dfdda6049bd7 Issue introduced in 2.6.39 with commit be663ab67077fac8e23eb8e231a8c1c94cb32e54 and fixed in 5.4.211 with commit 73304c7594080362107bea4c0c3b7da2fb134cc4 Issue introduced in 2.6.39 with commit be663ab67077fac8e23eb8e231a8c1c94cb32e54 and fixed in 5.10.137 with commit e7d6cac6967534e1298497e853964b3d3f994ce3 Issue introduced in 2.6.39 with commit be663ab67077fac8e23eb8e231a8c1c94cb32e54 and fixed in 5.15.61 with commit 88b551561ded10017dd846c8aeb2296a5119a915 Issue introduced in 2.6.39 with commit be663ab67077fac8e23eb8e231a8c1c94cb32e54 and fixed in 5.18.18 with commit 9f1acb3ce0e37e9c38a6060a0570d56d2963e797 Issue introduced in 2.6.39 with commit be663ab67077fac8e23eb8e231a8c1c94cb32e54 and fixed in 5.19.2 with commit b7c39b1a3d4b8d2ba8c13d5ae1303705b03b46d4 Issue introduced in 2.6.39 with commit be663ab67077fac8e23eb8e231a8c1c94cb32e54 and fixed in 6.0 with commit a8eb8e6f7159c7c20c0ddac428bde3d110890aa7 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50180 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/intel/iwlegacy/4965-rs.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f59e7534e2b11d7c018a412c293897e8417addd4 https://git.kernel.org/stable/c/20be29b99dfed089fe7b8698cd18dfdda6049bd7 https://git.kernel.org/stable/c/73304c7594080362107bea4c0c3b7da2fb134cc4 https://git.kernel.org/stable/c/e7d6cac6967534e1298497e853964b3d3f994ce3 https://git.kernel.org/stable/c/88b551561ded10017dd846c8aeb2296a5119a915 https://git.kernel.org/stable/c/9f1acb3ce0e37e9c38a6060a0570d56d2963e797 https://git.kernel.org/stable/c/b7c39b1a3d4b8d2ba8c13d5ae1303705b03b46d4 https://git.kernel.org/stable/c/a8eb8e6f7159c7c20c0ddac428bde3d110890aa7
Powered by blists - more mailing lists