CVE-2022-49051

The metadata array (descoffset..descoffset+2*pkt_count) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips.
A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by a cloned SKB that has already been handed off into the network stack.
A packet SKB can be constructed whose tail is far beyond its end, causing out-of-bounds heap data to be considered part of the SKB's data.

Found doing variant analysis. Tested it with another driver (ax88179_178a), since I don't have a aqc111 device to test it, but the code looks very similar.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49051.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

17364b805f5b9016bb528241ba91481e3497e5e1

Fixed

404998a137bcb8a926f7c949030afbe285472593

Fixed

d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7

Fixed

b416898442f2b6aa9f1b2f2968ce07e3abaa05f7

Fixed

36311fe98f55dea9200c69e2dd6d6ddb8fc94080

Fixed

afb8e246527536848b9b4025b40e613edf776a9d

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49051.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.4.190

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.112

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.35

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.17.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49051.json"