| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025123015-CVE-2022-50829-2142@gregkh> Date: Tue, 30 Dec 2025 13:13:15 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50829: wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() It is possible that skb is freed in ath9k_htc_rx_msg(), then usb_submit_urb() fails and we try to free skb again. It causes use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes NULL but rx_buf is not freed and there can be a memory leak. The patch removes unnecessary nskb and makes skb processing more clear: it is supposed that ath9k_htc_rx_msg() either frees old skb or passes its managing to another callback function. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. The Linux kernel CVE team has assigned CVE-2022-50829 to this issue. Affected and fixed versions =========================== Issue introduced in 3.0 with commit 3deff76095c4ac4252e27c537db3041f619c23a2 and fixed in 4.9.337 with commit 5e8751a977a49a6e00cce1a8da5ca16da83f9c8c Issue introduced in 3.0 with commit 3deff76095c4ac4252e27c537db3041f619c23a2 and fixed in 4.14.303 with commit f127c2b4c967025e5c3a4ce7e13b79135d46a33d Issue introduced in 3.0 with commit 3deff76095c4ac4252e27c537db3041f619c23a2 and fixed in 4.19.270 with commit 0c8dd2ea4b419da96ab4953e4967e9363e2f8a4f Issue introduced in 3.0 with commit 3deff76095c4ac4252e27c537db3041f619c23a2 and fixed in 5.4.229 with commit 988bd27de2484faf17afe0408db2e3d9e5ac61fc Issue introduced in 3.0 with commit 3deff76095c4ac4252e27c537db3041f619c23a2 and fixed in 5.10.163 with commit 98d9172822dc6f38138333941984bd759a89d419 Issue introduced in 3.0 with commit 3deff76095c4ac4252e27c537db3041f619c23a2 and fixed in 5.15.86 with commit 355f16f756aad0c95cdaa0c14a34ab4137d32815 Issue introduced in 3.0 with commit 3deff76095c4ac4252e27c537db3041f619c23a2 and fixed in 6.0.16 with commit 53b9bb1a00c4285ee7f58a11129dbea015db61bc Issue introduced in 3.0 with commit 3deff76095c4ac4252e27c537db3041f619c23a2 and fixed in 6.1.2 with commit 71fc0ad671a62c494d2aec731baeabd3bfe6c95d Issue introduced in 3.0 with commit 3deff76095c4ac4252e27c537db3041f619c23a2 and fixed in 6.2 with commit dd95f2239fc846795fc926787c3ae0ca701c9840 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50829 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/ath/ath9k/hif_usb.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/5e8751a977a49a6e00cce1a8da5ca16da83f9c8c https://git.kernel.org/stable/c/f127c2b4c967025e5c3a4ce7e13b79135d46a33d https://git.kernel.org/stable/c/0c8dd2ea4b419da96ab4953e4967e9363e2f8a4f https://git.kernel.org/stable/c/988bd27de2484faf17afe0408db2e3d9e5ac61fc https://git.kernel.org/stable/c/98d9172822dc6f38138333941984bd759a89d419 https://git.kernel.org/stable/c/355f16f756aad0c95cdaa0c14a34ab4137d32815 https://git.kernel.org/stable/c/53b9bb1a00c4285ee7f58a11129dbea015db61bc https://git.kernel.org/stable/c/71fc0ad671a62c494d2aec731baeabd3bfe6c95d https://git.kernel.org/stable/c/dd95f2239fc846795fc926787c3ae0ca701c9840
Powered by blists - more mailing lists