| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122421-CVE-2022-50709-54af@gregkh>
Date: Wed, 24 Dec 2025 11:56:26 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50709: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for
ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with
pkt_len = 0 but ath9k_hif_usb_rx_stream() uses
__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that
pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb
with uninitialized memory and ath9k_htc_rx_msg() is reading from
uninitialized memory.
Since bytes accessed by ath9k_htc_rx_msg() is not known until
ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid
pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in
ath9k_hif_usb_rx_stream().
We have two choices. One is to workaround by adding __GFP_ZERO so that
ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let
ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose
the latter.
Note that I'm not sure threshold condition is correct, for I can't find
details on possible packet length used by this protocol.
The Linux kernel CVE team has assigned CVE-2022-50709 to this issue.
Affected and fixed versions
===========================
Fixed in 4.14.296 with commit f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a
Fixed in 4.19.262 with commit 84242f15f911f34aec9b22f99d1e9bff19723dbe
Fixed in 5.4.220 with commit 2c485f4f2a64258acc5228e78ffb828c68d9e770
Fixed in 5.10.150 with commit 9661724f6206bd606ecf13acada676a9975d230b
Fixed in 5.15.75 with commit b1b4144508adfc585e43856b31baaf9008a3beb4
Fixed in 5.19.17 with commit 0d2649b288b7b9484e3d4380c0d6c4720a17e473
Fixed in 6.0.3 with commit 4891a50f5ed8bfcb8f2a4b816b0676f398687783
Fixed in 6.1 with commit b383e8abed41cc6ff1a3b34de75df9397fa4878c
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-50709
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/wireless/ath/ath9k/htc_hst.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a
https://git.kernel.org/stable/c/84242f15f911f34aec9b22f99d1e9bff19723dbe
https://git.kernel.org/stable/c/2c485f4f2a64258acc5228e78ffb828c68d9e770
https://git.kernel.org/stable/c/9661724f6206bd606ecf13acada676a9975d230b
https://git.kernel.org/stable/c/b1b4144508adfc585e43856b31baaf9008a3beb4
https://git.kernel.org/stable/c/0d2649b288b7b9484e3d4380c0d6c4720a17e473
https://git.kernel.org/stable/c/4891a50f5ed8bfcb8f2a4b816b0676f398687783
https://git.kernel.org/stable/c/b383e8abed41cc6ff1a3b34de75df9397fa4878c
Powered by blists - more mailing lists