| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061845-CVE-2022-49934-108e@gregkh> Date: Wed, 18 Jun 2025 12:54:45 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-49934: wifi: mac80211: Fix UAF in ieee80211_scan_rx() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix UAF in ieee80211_scan_rx() ieee80211_scan_rx() tries to access scan_req->flags after a null check, but a UAF is observed when the scan is completed and __ieee80211_scan_completed() executes, which then calls cfg80211_scan_done() leading to the freeing of scan_req. Since scan_req is rcu_dereference()'d, prevent the racing in __ieee80211_scan_completed() by ensuring that from mac80211's POV it is no longer accessed from an RCU read critical section before we call cfg80211_scan_done(). The Linux kernel CVE team has assigned CVE-2022-49934 to this issue. Affected and fixed versions =========================== Fixed in 4.9.330 with commit 6eb181a64fdabf10be9e54de728876667da20255 Fixed in 4.14.295 with commit e0ff39448cea654843744c72c6780293c5082cb1 Fixed in 4.19.260 with commit 78a07732fbb0934d14827d8f09b9aa6a49ee1aa9 Fixed in 5.4.215 with commit 9ad48cbf8b07f10c1e4a7a262b32a9179ae9dd2d Fixed in 5.10.142 with commit 4abc8c07a065ecf771827bde3c63fbbe4aa0c08b Fixed in 5.15.66 with commit 5d20c6f932f2758078d0454729129c894fe353e7 Fixed in 5.19.8 with commit c0445feb80a4d0854898118fa01073701f8d356b Fixed in 6.0 with commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49934 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/mac80211/scan.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/6eb181a64fdabf10be9e54de728876667da20255 https://git.kernel.org/stable/c/e0ff39448cea654843744c72c6780293c5082cb1 https://git.kernel.org/stable/c/78a07732fbb0934d14827d8f09b9aa6a49ee1aa9 https://git.kernel.org/stable/c/9ad48cbf8b07f10c1e4a7a262b32a9179ae9dd2d https://git.kernel.org/stable/c/4abc8c07a065ecf771827bde3c63fbbe4aa0c08b https://git.kernel.org/stable/c/5d20c6f932f2758078d0454729129c894fe353e7 https://git.kernel.org/stable/c/c0445feb80a4d0854898118fa01073701f8d356b https://git.kernel.org/stable/c/60deb9f10eec5c6a20252ed36238b55d8b614a2c
Powered by blists - more mailing lists