| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091509-CVE-2023-53199-8a8c@gregkh> Date: Mon, 15 Sep 2025 16:21:33 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53199: wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails Syzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream(). While processing skbs in ath9k_hif_usb_rx_stream(), the already allocated skbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we have an incorrect pkt_len or pkt_tag, the input skb is considered invalid and dropped. All the associated packets already in skb_pool should be dropped and freed. Added a comment describing this issue. The patch also makes remain_skb NULL after being processed so that it cannot be referenced after potential free. The initialization of hif_dev fields which are associated with remain_skb (rx_remain_len, rx_transfer_len and rx_pad_len) is moved after a new remain_skb is allocated. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. The Linux kernel CVE team has assigned CVE-2023-53199 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.38 with commit 44b23b488d44e56d467764ecb661830e5b02b308 and fixed in 4.19.276 with commit 3fc6401fafde11712a83089fa2cc874cfd10e2cd Issue introduced in 2.6.38 with commit 44b23b488d44e56d467764ecb661830e5b02b308 and fixed in 5.4.235 with commit cd8316767099920a5d41feed1afab0c482a43e9f Issue introduced in 2.6.38 with commit 44b23b488d44e56d467764ecb661830e5b02b308 and fixed in 5.10.173 with commit f26dd69f61eff2eedf5df2d199bdd23108309947 Issue introduced in 2.6.38 with commit 44b23b488d44e56d467764ecb661830e5b02b308 and fixed in 5.15.99 with commit 61490d2710277e8a55009b7682456ae22f8087cf Issue introduced in 2.6.38 with commit 44b23b488d44e56d467764ecb661830e5b02b308 and fixed in 6.1.16 with commit 9acdec72787af1bc8ed92711b52118c8e3e638a2 Issue introduced in 2.6.38 with commit 44b23b488d44e56d467764ecb661830e5b02b308 and fixed in 6.2.3 with commit c766e37fccd5a5c5059be7efcd9618bf8a2c17c3 Issue introduced in 2.6.38 with commit 44b23b488d44e56d467764ecb661830e5b02b308 and fixed in 6.3 with commit 0af54343a76263a12dbae7fafb64eb47c4a6ad38 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53199 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/ath/ath9k/hif_usb.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/3fc6401fafde11712a83089fa2cc874cfd10e2cd https://git.kernel.org/stable/c/cd8316767099920a5d41feed1afab0c482a43e9f https://git.kernel.org/stable/c/f26dd69f61eff2eedf5df2d199bdd23108309947 https://git.kernel.org/stable/c/61490d2710277e8a55009b7682456ae22f8087cf https://git.kernel.org/stable/c/9acdec72787af1bc8ed92711b52118c8e3e638a2 https://git.kernel.org/stable/c/c766e37fccd5a5c5059be7efcd9618bf8a2c17c3 https://git.kernel.org/stable/c/0af54343a76263a12dbae7fafb64eb47c4a6ad38
Powered by blists - more mailing lists