CVE-2022-49235

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-49235
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49235.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49235
Downstream
Related
Published
2025-02-26T01:56:00.212Z
Modified
2026-03-20T12:22:17.081403Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
ath9k_htc: fix uninit value bugs
Details

In the Linux kernel, the following vulnerability has been resolved:

ath9k_htc: fix uninit value bugs

Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing field initialization.

In htcconnectservice() svcmetalen and pad are not initialized. Based on code it looks like in current skb there is no service data, so simply initialize svcmetalen to 0.

htcissuesend() does not initialize htcframehdr::control array. Based on firmware code, it will initialize it by itself, so simply zero whole array to make KMSAN happy

Fail logs:

BUG: KMSAN: kernel-usb-infoleak in usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hifusbsendregout drivers/net/wireless/ath/ath9k/hifusb.c:127 [inline] hifusbsend+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hifusb.c:479 htcissuesend drivers/net/wireless/ath/ath9k/htchst.c:34 [inline] htcconnectservice+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ...

Uninit was created at: slabpostallochook mm/slab.h:524 [inline] slaballoc_node mm/slub.c:3251 [inline] __kmallocnodetrackcaller+0xe0c/0x1510 mm/slub.c:4974 kmallocreserve net/core/skbuff.c:354 [inline] _allocskb+0x545/0xf90 net/core/skbuff.c:426 allocskb include/linux/skbuff.h:1126 [inline] htcconnectservice+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htchst.c:258 ...

Bytes 4-7 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00

BUG: KMSAN: kernel-usb-infoleak in usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hifusbsendregout drivers/net/wireless/ath/ath9k/hifusb.c:127 [inline] hifusbsend+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hifusb.c:479 htcissuesend drivers/net/wireless/ath/ath9k/htchst.c:34 [inline] htcconnectservice+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ...

Uninit was created at: slabpostallochook mm/slab.h:524 [inline] slaballoc_node mm/slub.c:3251 [inline] __kmallocnodetrackcaller+0xe0c/0x1510 mm/slub.c:4974 kmallocreserve net/core/skbuff.c:354 [inline] _allocskb+0x545/0xf90 net/core/skbuff.c:426 allocskb include/linux/skbuff.h:1126 [inline] htcconnectservice+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htchst.c:258 ...

Bytes 16-17 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49235.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fb9987d0f748c983bb795a86f47522313f701a08
Fixed
5c2a6a8daa17a3f65b38b9a5574bb362c13fa1d9
Fixed
e352acdd378e9263cc4c6018e588f2dac7161d07
Fixed
ee4222052a76559c20e821bc3519cefb58b6d3e9
Fixed
4d244b731188e0b63fc40a9d2dec72e9181fb37c
Fixed
11f11ac281f0c0b363d2940204f28bae0422ed71
Fixed
0b700f7d06492de34964b6f414120043364f8191
Fixed
7da6169b6ebb75816b57be3beb829afa74f3b4b6
Fixed
5abf2b761b998063f5e2bae93fd4ab10e2a80f10
Fixed
d1e0df1c57bd30871dd1c855742a7c346dbca853

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49235.json"