CVE-2022-49238

{"id": "CVE-2022-49238", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:00.790", "references": [{"url": "https://git.kernel.org/stable/c/212ad7cb7d7592669c067125949e0a8e31ce6a0b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/400705c50bbf184794c885d1efad7fe9ccf1471a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: free peer for station when disconnect from AP for QCA6390/WCN6855\n\nCommit b4a0f54156ac (\"ath11k: move peer delete after vdev stop of station\nfor QCA6390 and WCN6855\") is to fix firmware crash by changing the WMI\ncommand sequence, but actually skip all the peer delete operation, then\nit lead commit 58595c9874c6 (\"ath11k: Fixing dangling pointer issue upon\npeer delete failure\") not take effect, and then happened a use-after-free\nwarning from KASAN. because the peer->sta is not set to NULL and then used\nlater.\n\nChange to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855.\n\nlog of user-after-free:\n\n[  534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[  534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860\n\n[  534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G        W         5.15.0-wt-ath+ #523\n[  534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n[  534.888716] Call Trace:\n[  534.888720]  <IRQ>\n[  534.888726]  dump_stack_lvl+0x57/0x7d\n[  534.888736]  print_address_description.constprop.0+0x1f/0x170\n[  534.888745]  ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[  534.888771]  kasan_report.cold+0x83/0xdf\n[  534.888783]  ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[  534.888810]  ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[  534.888840]  ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k]\n[  534.888874]  ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k]\n[  534.888897]  ? check_prev_add+0x20f0/0x20f0\n[  534.888922]  ? __lock_acquire+0xb72/0x1870\n[  534.888937]  ? find_held_lock+0x33/0x110\n[  534.888954]  ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k]\n[  534.888981]  ? rcu_read_unlock+0x40/0x40\n[  534.888990]  ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k]\n[  534.889026]  ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k]\n[  534.889053]  ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]\n[  534.889075]  call_timer_fn+0x167/0x4a0\n[  534.889084]  ? add_timer_on+0x3b0/0x3b0\n[  534.889103]  ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370\n[  534.889117]  __run_timers.part.0+0x539/0x8b0\n[  534.889123]  ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]\n[  534.889157]  ? call_timer_fn+0x4a0/0x4a0\n[  534.889164]  ? mark_lock_irq+0x1c30/0x1c30\n[  534.889173]  ? clockevents_program_event+0xdd/0x280\n[  534.889189]  ? mark_held_locks+0xa5/0xe0\n[  534.889203]  run_timer_softirq+0x97/0x180\n[  534.889213]  __do_softirq+0x276/0x86a\n[  534.889230]  __irq_exit_rcu+0x11c/0x180\n[  534.889238]  irq_exit_rcu+0x5/0x20\n[  534.889244]  sysvec_apic_timer_interrupt+0x8e/0xc0\n[  534.889251]  </IRQ>\n[  534.889254]  <TASK>\n[  534.889259]  asm_sysvec_apic_timer_interrupt+0x12/0x20\n[  534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70\n[  534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee\n[  534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206\n[  534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10\n[  534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001\n[  534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f\n[  534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68\n[  534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000\n[  534.889316]  ? mark_lock+0xd0/0x14a0\n[  534.889332]  klist_next+0x1d4/0x450\n[  534.889340]  ? dpm_wait_for_subordinate+0x2d0/0x2d0\n[  534.889350]  device_for_each_child+0xa8/0x140\n[  534.889360]  ? device_remove_class_symlinks+0x1b0/0x1b0\n[  534.889370]  ? __lock_release+0x4bd/0x9f0\n[  534.889378]  ? dpm_suspend+0x26b/0x3f0\n[  534.889390]  dpm_wait_for_subordinate+\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ath11k: liberar un peer para la estaci\u00f3n cuando se desconecta del AP para QCA6390/WCN6855. el commit b4a0f54156ac (\"ath11k: mover la eliminaci\u00f3n del peer despu\u00e9s de la detenci\u00f3n del vdev de la estaci\u00f3n para QCA6390 y WCN6855\") es para reparar un fallo del firmware modificando la secuencia de comandos WMI, pero en realidad omite toda la operaci\u00f3n de eliminaci\u00f3n del peer, por lo que el commit 58595c9874c6 (\"ath11k: solucionar el problema del puntero colgante tras un fallo en la eliminaci\u00f3n del peer\") no tiene efecto y, a continuaci\u00f3n, aparece una advertencia de uso tras liberaci\u00f3n de KASAN, porque peer-&gt;sta no est\u00e1 configurado en NULL y se utiliza m\u00e1s tarde. Se cambia para omitir solo WMI_PEER_DELETE_CMDID para QCA6390/WCN6855. registro de usuario despu\u00e9s de liberaci\u00f3n: [ 534.888665] ERROR: KASAN: use-after-free en ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888696] Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff8881396bb1b8 por la tarea rtcwake/2860 [ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: cargado Tainted: GW 5.15.0-wt-ath+ #523 [ 534.888712] Nombre del hardware: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 28/05/2021 [ 534.888716] Seguimiento de llamadas: [ 534.888720]  [ 534.888726] dump_stack_lvl+0x57/0x7d [ 534.888736] print_address_description.constprop.0+0x1f/0x170 [ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888771] kasan_report.cold+0x83/0xdf [ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k] [ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k] [ 534.888897] ? check_prev_add+0x20f0/0x20f0 [ 534.888922] ? __lock_acquire+0xb72/0x1870 [ 534.888937] ? find_held_lock+0x33/0x110 [ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k] [ 534.888981] ? rcu_read_unlock+0x40/0x40 [ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k] [ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k] [ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889075] call_timer_fn+0x167/0x4a0 [ 534.889084] ? add_timer_on+0x3b0/0x3b0 [ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 534.889117] __run_timers.part.0+0x539/0x8b0 [ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889157] ? call_timer_fn+0x4a0/0x4a0 [ 534.889164] ? mark_lock_irq+0x1c30/0x1c30 [ 534.889173] ? clockevents_program_event+0xdd/0x280 [ 534.889189] ? mark_held_locks+0xa5/0xe0 [ 534.889203] run_timer_softirq+0x97/0x180 [ 534.889213] __do_softirq+0x276/0x86a [ 534.889230] __irq_exit_rcu+0x11c/0x180 [ 534.889238] irq_exit_rcu+0x5/0x20 [ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 534.889251]  [ 534.889254]  [ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 [ 534.889271] C\u00f3digo: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00  13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee [ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206 [ 534.889284] RAX: 00000000000000006 RBX: 00000000000000200 RCX: ffffffff9f256f10 [ 534.889289] RDX: 00000000000000000 RSI: fffffffa1c6e420 RDI: 00000000000000001 [ 534.889293] RBP: ffff8881095e6200 R08: 00000000000000001 R09: ffffffffa40d2b8f [ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68 [ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000 [ 534.889316] ? mark_lock+0xd0/0x14a0 [ 534.889332] klist_next+0x1d4/0x450 [ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0 [ 534.889350] device_for_each_child+0xa8/0x140 [ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0 [ 534.889370] ? __lock_release+0x4bd/0x9f0 [ 534.889378] ? dpm_suspend+0x26b/0x3f0 [ 534.889390] ---truncado---"}], "lastModified": "2025-03-25T15:08:35.243", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.17"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}