DEBIAN-CVE-2022-50709
- Source
- https://security-tracker.debian.org/tracker/CVE-2022-50709
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50709.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2022-50709
- Upstream
- Published
- 2025-12-24T11:15:51.080Z
- Modified
- 2025-12-25T11:18:42.506469Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid uninit memory read in ath9khtcrxmsg() syzbot is reporting uninit value at ath9khtcrxmsg() [1], for ioctl(USBRAWIOCTLEPWRITE) can call ath9khifusbrxstream() with pktlen = 0 but ath9khifusbrxstream() uses _devallocskb(pktlen + 32, GFPATOMIC) based on an assumption that pktlen is valid. As a result, ath9khifusbrxstream() allocates skb with uninitialized memory and ath9khtcrxmsg() is reading from uninitialized memory. Since bytes accessed by ath9khtcrxmsg() is not known until ath9khtcrxmsg() is called, it would be difficult to check minimal valid pktlen at "if (pktlen > 2 * MAXRXBUFSIZE) {" line in ath9khifusbrxstream(). We have two choices. One is to workaround by adding _GFPZERO so that ath9khtcrxmsg() sees 0 if pktlen is invalid. The other is to let ath9khtcrxmsg() validate pkt_len before accessing. This patch chose the latter. Note that I'm not sure threshold condition is correct, for I can't find details on possible packet length used by this protocol.
- References
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.158-1
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source