CVE-2022-50179
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50179
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50179.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-50179
- Downstream
- Related
- Published
- 2025-06-18T11:15:48Z
- Modified
- 2025-08-09T20:01:26Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ath9k: fix use-after-free in ath9khifusbrxcb
Syzbot reported use-after-free Read in ath9khifusbrxcb() [0]. The problem was in incorrect htchandle->drvpriv initialization.
Probable call trace which can trigger use-after-free:
ath9khtcprobedevice() /* htchandle->drvpriv = priv; */ ath9khtcwaitfortarget() <--- Failed ieee80211free_hw() <--- priv pointer is freed
<IRQ> ... ath9khifusbrxcb() ath9khifusbrxstream() RXSTATINC() <--- htchandle->drvpriv access
In order to not add fancy protection for drvpriv we can move htchandle->drvpriv initialization at the end of the ath9khtcprobedevice() and add helper macro to make all _STAT_ macros NULL safe, since syzbot has reported related NULL deref in that macros [1]
- References
-
- https://git.kernel.org/stable/c/03ca957c5f7b55660957eda20b5db4110319ac7a
- https://git.kernel.org/stable/c/0ac4827f78c7ffe8eef074bc010e7e34bc22f533
- https://git.kernel.org/stable/c/62bc1ea5c7401d77eaf73d0c6a15f3d2e742856e
- https://git.kernel.org/stable/c/6b14ab47937ba441e75e8dbb9fbfc9c55efa41c6
- https://git.kernel.org/stable/c/ab7a0ddf5f1cdec63cb21840369873806fc36d80
- https://git.kernel.org/stable/c/b66ebac40f64336ae2d053883bee85261060bd27
- https://git.kernel.org/stable/c/e9e21206b8ea62220b486310c61277e7ebfe7cec
- https://git.kernel.org/stable/c/eccd7c3e2596b574241a7670b5b53f5322f470e5