CVE-2022-49235
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49235
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49235.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49235
- Downstream
- Related
- Published
- 2025-02-26T07:01:00Z
- Modified
- 2025-08-09T20:01:28Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ath9k_htc: fix uninit value bugs
Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing field initialization.
In htcconnectservice() svcmetalen and pad are not initialized. Based on code it looks like in current skb there is no service data, so simply initialize svcmetalen to 0.
htcissuesend() does not initialize htcframehdr::control array. Based on firmware code, it will initialize it by itself, so simply zero whole array to make KMSAN happy
Fail logs:
BUG: KMSAN: kernel-usb-infoleak in usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hifusbsendregout drivers/net/wireless/ath/ath9k/hifusb.c:127 [inline] hifusbsend+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hifusb.c:479 htcissuesend drivers/net/wireless/ath/ath9k/htchst.c:34 [inline] htcconnectservice+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ...
Uninit was created at: slabpostallochook mm/slab.h:524 [inline] slaballocnode mm/slub.c:3251 [inline] _kmallocnodetrackcaller+0xe0c/0x1510 mm/slub.c:4974 kmallocreserve net/core/skbuff.c:354 [inline] _allocskb+0x545/0xf90 net/core/skbuff.c:426 allocskb include/linux/skbuff.h:1126 [inline] htcconnectservice+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htchst.c:258 ...
Bytes 4-7 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00
BUG: KMSAN: kernel-usb-infoleak in usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usbsubmiturb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hifusbsendregout drivers/net/wireless/ath/ath9k/hifusb.c:127 [inline] hifusbsend+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hifusb.c:479 htcissuesend drivers/net/wireless/ath/ath9k/htchst.c:34 [inline] htcconnectservice+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ...
Uninit was created at: slabpostallochook mm/slab.h:524 [inline] slaballocnode mm/slub.c:3251 [inline] _kmallocnodetrackcaller+0xe0c/0x1510 mm/slub.c:4974 kmallocreserve net/core/skbuff.c:354 [inline] _allocskb+0x545/0xf90 net/core/skbuff.c:426 allocskb include/linux/skbuff.h:1126 [inline] htcconnectservice+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htchst.c:258 ...
Bytes 16-17 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00
- References
-
- https://git.kernel.org/stable/c/0b700f7d06492de34964b6f414120043364f8191
- https://git.kernel.org/stable/c/11f11ac281f0c0b363d2940204f28bae0422ed71
- https://git.kernel.org/stable/c/4d244b731188e0b63fc40a9d2dec72e9181fb37c
- https://git.kernel.org/stable/c/5abf2b761b998063f5e2bae93fd4ab10e2a80f10
- https://git.kernel.org/stable/c/5c2a6a8daa17a3f65b38b9a5574bb362c13fa1d9
- https://git.kernel.org/stable/c/7da6169b6ebb75816b57be3beb829afa74f3b4b6
- https://git.kernel.org/stable/c/d1e0df1c57bd30871dd1c855742a7c346dbca853
- https://git.kernel.org/stable/c/e352acdd378e9263cc4c6018e588f2dac7161d07
- https://git.kernel.org/stable/c/ee4222052a76559c20e821bc3519cefb58b6d3e9