CVE-2022-49235: ath9k_htc: fix uninit value bugs
First published: Wed Feb 26 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: ath9k_htc: fix uninit value bugs Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing field initialization. In htc_connect_service() svc_meta_len and pad are not initialized. Based on code it looks like in current skb there is no service data, so simply initialize svc_meta_len to 0. htc_issue_send() does not initialize htc_frame_hdr::control array. Based on firmware code, it will initialize it by itself, so simply zero whole array to make KMSAN happy Fail logs: BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 4-7 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00 BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 16-17 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| Linux Kernel | >=2.6.35<4.9.311 | |
| Linux Kernel | >=4.10<4.14.276 | |
| Linux Kernel | >=4.15<4.19.238 | |
| Linux Kernel | >=4.20<5.4.189 | |
| Linux Kernel | >=5.5<5.10.110 | |
| Linux Kernel | >=5.11<5.15.33 | |
| Linux Kernel | >=5.16<5.16.19 | |
| Linux Kernel | >=5.17<5.17.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/5c2a6a8daa17a3f65b38b9a5574bb362c13fa1d9
- https://git.kernel.org/stable/c/e352acdd378e9263cc4c6018e588f2dac7161d07
- https://git.kernel.org/stable/c/ee4222052a76559c20e821bc3519cefb58b6d3e9
- https://git.kernel.org/stable/c/4d244b731188e0b63fc40a9d2dec72e9181fb37c
- https://git.kernel.org/stable/c/11f11ac281f0c0b363d2940204f28bae0422ed71
- https://git.kernel.org/stable/c/0b700f7d06492de34964b6f414120043364f8191
- https://git.kernel.org/stable/c/7da6169b6ebb75816b57be3beb829afa74f3b4b6
- https://git.kernel.org/stable/c/5abf2b761b998063f5e2bae93fd4ab10e2a80f10
- https://git.kernel.org/stable/c/d1e0df1c57bd30871dd1c855742a7c346dbca853
Frequently Asked Questions
What is the severity of CVE-2022-49235?
CVE-2022-49235 has a medium severity rating due to potential issues caused by uninitialized values.
How do I fix CVE-2022-49235?
To fix CVE-2022-49235, ensure you update your Linux kernel to a version that includes the appropriate patches.
Which versions of the Linux kernel are affected by CVE-2022-49235?
CVE-2022-49235 affects various Linux kernel versions, specifically between 2.6.35 and 5.17.2.
What components of the Linux kernel are involved in CVE-2022-49235?
CVE-2022-49235 specifically involves the ath9k_htc driver in the Linux kernel.
Is there a known exploit for CVE-2022-49235?
As of now, there is no publicly known exploit specifically targeting CVE-2022-49235.
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/type
- agent/title
- agent/author
- agent/references
- agent/source
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup-request
- vendor/linux
- canonical/linux kernel
- version/linux kernel/2.6.35
- version/linux kernel/4.10
- version/linux kernel/4.15
- version/linux kernel/4.20
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/5.17