CVE-2022-48875

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: sdata can be NULL during AMPDU start ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a deauthentication is ongoing. Here a trace triggering the race with the hostapd test multi_ap_fronthaul_on_ap: (gdb) list *drv_ampdu_action+0x46 0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396). 391 int ret = -EOPNOTSUPP; 392 393 might_sleep(); 394 395 sdata = get_bss_sdata(sdata); 396 if (!check_sdata_in_driver(sdata)) 397 return -EIO; 398 399 trace_drv_ampdu_action(local, sdata, params); 400 wlan0: moving STA 02:00:00:00:03:00 to state 3 wlan0: associated wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING) wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0 wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port) wlan0: moving STA 02:00:00:00:03:00 to state 2 wlan0: moving STA 02:00:00:00:03:00 to state 1 wlan0: Removed STA 02:00:00:00:03:00 wlan0: Destroyed STA 02:00:00:00:03:00 BUG: unable to handle page fault for address: fffffffffffffb48 PGD 11814067 P4D 11814067 PUD 11816067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 Workqueue: phy3 ieee80211_ba_session_work [mac80211] RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211] Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85 RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287 RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240 RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40 RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0 R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8 FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0 Call Trace: <TASK> ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211] ieee80211_ba_session_work+0xff/0x2e0 [mac80211] process_one_work+0x29f/0x620 worker_thread+0x4d/0x3d0 ? process_one_work+0x620/0x620 kthread+0xfb/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK>
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

04 Sep 2024, 18:33

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CWE CWE-476
First Time Linux linux Kernel
Linux
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
References () https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef - () https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef - Patch
References () https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df - () https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df - Patch
References () https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e - () https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e - Patch
References () https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949 - () https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949 - Patch
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wifi: mac80211: sdata puede ser NULL durante el inicio de AMPDU. ieee80211_tx_ba_session_handle_start() puede obtener NULL para sdata cuando se está realizando una desautenticación. Aquí un rastro que desencadena la ejecución con la prueba hostapd multi_ap_fronthaul_on_ap: (gdb) list *drv_ampdu_action+0x46 0x8b16 está en drv_ampdu_action (net/mac80211/driver-ops.c:396). 391 int ret = -EOPNOTSUPP; 392 393 podría_dormir(); 394 395 sdata = get_bss_sdata(sdata); 396 si (!check_sdata_in_driver(sdata)) 397 retorno -EIO; 398 399 trace_drv_ampdu_action(local, sdata, params); 400 wlan0: mover STA 02:00:00:00:03:00 al estado 3 wlan0: wlan0 asociado: desautenticar desde 02:00:00:00:03:00 por elección local (Razón: 3=DEAUTH_LEAVING) wlan3.sta1 : Sesión de BA abierta solicitada para 02:00:00:00:00:00 tid 0 wlan3.sta1: cuadro eliminado a 02:00:00:00:00:00 (puerto no autorizado) wlan0: moviendo STA 02:00:00 :00:03:00 al estado 2 wlan0: moviendo STA 02:00:00:00:03:00 al estado 1 wlan0: STA eliminada 02:00:00:00:03:00 wlan0: STA destruida 02:00: 00:00:03:00 ERROR: no se puede manejar el error de página para la dirección: fffffffffffffffb48 PGD 11814067 P4D 11814067 PUD 11816067 PMD 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted : GW 6.1.0-rc8-wt+ #59 Nombre del hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 01/04/2014 Cola de trabajo: phy3 ieee80211_ba_session_work [mac80211] RIP: _ampdu_acción +0x46/0x280 [mac80211] Código: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 10 0e 00 00 &lt;8b&gt; 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85 RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287 RAX: 0000000000000000 RBX: ffffffffffff1f0 RCX: ffff888102228240 RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40 RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001 R10: 00000000000000001 R11: 0000000000000000 R12: 888118c18ec0 R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8 FS: 0000000000000000(0000) GS:ffff88817a600000(0000) 0000000000000 CS: 0010 DS: 0000 ES : 0000 CR0: 0000000080050033 CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0 Seguimiento de llamadas: ieee80211_tx_ba_session_handle_start+0xd0/0x190 11] ieee80211_ba_session_work+0xff/0x2e0 [mac80211] Process_one_work+0x29f/0x620 trabajador_thread+0x4d/0x3d0? proceso_one_work+0x620/0x620 kthread+0xfb/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30

21 Aug 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-21 07:15

Updated : 2024-09-04 18:33


NVD link : CVE-2022-48875

Mitre link : CVE-2022-48875

CVE.ORG link : CVE-2022-48875


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-476

NULL Pointer Dereference