7.8

CVE-2022-50179

ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

In the Linux kernel, the following vulnerability has been resolved:

ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The
problem was in incorrect htc_handle->drv_priv initialization.

Probable call trace which can trigger use-after-free:

ath9k_htc_probe_device()
  /* htc_handle->drv_priv = priv; */
  ath9k_htc_wait_for_target()      <--- Failed
  ieee80211_free_hw()		   <--- priv pointer is freed

<IRQ>
...
ath9k_hif_usb_rx_cb()
  ath9k_hif_usb_rx_stream()
   RX_STAT_INC()		<--- htc_handle->drv_priv access

In order to not add fancy protection for drv_priv we can move
htc_handle->drv_priv initialization at the end of the
ath9k_htc_probe_device() and add helper macro to make
all *_STAT_* macros NULL safe, since syzbot has reported related NULL
deref in that macros [1]
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.35 < 4.14.291
LinuxLinux Kernel Version >= 4.15 < 4.19.256
LinuxLinux Kernel Version >= 4.20 < 5.4.211
LinuxLinux Kernel Version >= 5.5 < 5.10.137
LinuxLinux Kernel Version >= 5.11 < 5.15.61
LinuxLinux Kernel Version >= 5.16 < 5.18.18
LinuxLinux Kernel Version >= 5.19 < 5.19.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.116
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/62bc1ea5c7401d77eaf73d0c6a15f3d2e742856e
Patch
https://git.kernel.org/stable/c/ab7a0ddf5f1cdec63cb21840369873806fc36d80
Patch
https://git.kernel.org/stable/c/e9e21206b8ea62220b486310c61277e7ebfe7cec
Patch
https://git.kernel.org/stable/c/eccd7c3e2596b574241a7670b5b53f5322f470e5
Patch
https://git.kernel.org/stable/c/03ca957c5f7b55660957eda20b5db4110319ac7a
Patch
https://git.kernel.org/stable/c/6b14ab47937ba441e75e8dbb9fbfc9c55efa41c6
Patch
https://git.kernel.org/stable/c/b66ebac40f64336ae2d053883bee85261060bd27
Patch
https://git.kernel.org/stable/c/0ac4827f78c7ffe8eef074bc010e7e34bc22f533
Patch