CVE-2022-49112
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49112
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49112.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49112
- Downstream
- Related
- Published
- 2025-02-26T07:00:48Z
- Modified
- 2025-08-09T20:01:27Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mt76: fix monitor mode crash with sdio driver
mt7921s driver may receive frames with fragment buffers. If there is a CTS packet received in monitor mode, the payload is 10 bytes only and need 6 bytes header padding after RXD buffer. However, only RXD in the first linear buffer, if we pull buffer size RXD-size+6 bytes with skbpull(), that would trigger "BUGON(skb->len < skb->datalen)" in _skb_pull().
To avoid the nonlinear buffer issue, enlarge the RXD size from 128 to 256 to make sure all MCU operation in linear buffer.
[ 52.007562] kernel BUG at include/linux/skbuff.h:2313! [ 52.007578] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 52.007987] pc : skbpull+0x48/0x4c [ 52.008015] lr : mt7921queuerxskb+0x494/0x890 [mt7921common] [ 52.008361] Call trace: [ 52.008377] skbpull+0x48/0x4c [ 52.008400] mt76snetworker+0x134/0x1b0 [mt76sdio 35339a92c6eb7d4bbcc806a1d22f56365565135c] [ 52.008431] _mt76workerfn+0xe8/0x170 [mt76 ef716597d11a77150bc07e3fdd68eeb0f9b56917] [ 52.008449] kthread+0x148/0x3ac [ 52.008466] retfromfork+0x10/0x30
- References