CVE-2022-49235

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49235
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49235.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49235
Related
Published
2025-02-26T07:01:00Z
Modified
2025-03-18T20:50:41.813546Z
Downstream
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ath9k_htc: fix uninit value bugs

Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing field initialization.

In htcconnectservice() svcmetalen and pad are not initialized. Based on code it looks like in current skb there is no service data, so simply initialize svcmetalen to 0.

htcissuesend() does not initialize htcframehdr::control array. Based on firmware code, it will initialize it by itself, so simply zero whole array to make KMSAN happy

Fail logs:

BUG: KMSAN: kernel-usb-infoleak in usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hifusbsendregout drivers/net/wireless/ath/ath9k/hifusb.c:127 [inline] hifusbsend+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hifusb.c:479 htcissuesend drivers/net/wireless/ath/ath9k/htchst.c:34 [inline] htcconnectservice+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ...

Uninit was created at: slabpostallochook mm/slab.h:524 [inline] slaballocnode mm/slub.c:3251 [inline] _kmallocnodetrackcaller+0xe0c/0x1510 mm/slub.c:4974 kmallocreserve net/core/skbuff.c:354 [inline] _allocskb+0x545/0xf90 net/core/skbuff.c:426 allocskb include/linux/skbuff.h:1126 [inline] htcconnectservice+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htchst.c:258 ...

Bytes 4-7 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00

BUG: KMSAN: kernel-usb-infoleak in usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hifusbsendregout drivers/net/wireless/ath/ath9k/hifusb.c:127 [inline] hifusbsend+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hifusb.c:479 htcissuesend drivers/net/wireless/ath/ath9k/htchst.c:34 [inline] htcconnectservice+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ...

Uninit was created at: slabpostallochook mm/slab.h:524 [inline] slaballocnode mm/slub.c:3251 [inline] _kmallocnodetrackcaller+0xe0c/0x1510 mm/slub.c:4974 kmallocreserve net/core/skbuff.c:354 [inline] _allocskb+0x545/0xf90 net/core/skbuff.c:426 allocskb include/linux/skbuff.h:1126 [inline] htcconnectservice+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htchst.c:258 ...

Bytes 16-17 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.113-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}