Home

Description

In the Linux kernel, the following vulnerability has been resolved: ath9k_htc: fix uninit value bugs Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing field initialization. In htc_connect_service() svc_meta_len and pad are not initialized. Based on code it looks like in current skb there is no service data, so simply initialize svc_meta_len to 0. htc_issue_send() does not initialize htc_frame_hdr::control array. Based on firmware code, it will initialize it by itself, so simply zero whole array to make KMSAN happy Fail logs: BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 4-7 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00 BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 16-17 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00

PUBLISHED Reserved 2025-02-26 | Published 2025-02-26 | Updated 2025-10-01 | Assigner Linux

Product status

Default status
unaffected

fb9987d0f748c983bb795a86f47522313f701a08 (git) before 5c2a6a8daa17a3f65b38b9a5574bb362c13fa1d9
affected

fb9987d0f748c983bb795a86f47522313f701a08 (git) before e352acdd378e9263cc4c6018e588f2dac7161d07
affected

fb9987d0f748c983bb795a86f47522313f701a08 (git) before ee4222052a76559c20e821bc3519cefb58b6d3e9
affected

fb9987d0f748c983bb795a86f47522313f701a08 (git) before 4d244b731188e0b63fc40a9d2dec72e9181fb37c
affected

fb9987d0f748c983bb795a86f47522313f701a08 (git) before 11f11ac281f0c0b363d2940204f28bae0422ed71
affected

fb9987d0f748c983bb795a86f47522313f701a08 (git) before 0b700f7d06492de34964b6f414120043364f8191
affected

fb9987d0f748c983bb795a86f47522313f701a08 (git) before 7da6169b6ebb75816b57be3beb829afa74f3b4b6
affected

fb9987d0f748c983bb795a86f47522313f701a08 (git) before 5abf2b761b998063f5e2bae93fd4ab10e2a80f10
affected

fb9987d0f748c983bb795a86f47522313f701a08 (git) before d1e0df1c57bd30871dd1c855742a7c346dbca853
affected

Default status
affected

2.6.35
affected

Any version before 2.6.35
unaffected

4.9.311 (semver)
unaffected

4.14.276 (semver)
unaffected

4.19.238 (semver)
unaffected

5.4.189 (semver)
unaffected

5.10.110 (semver)
unaffected

5.15.33 (semver)
unaffected

5.16.19 (semver)
unaffected

5.17.2 (semver)
unaffected

5.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/5c2a6a8daa17a3f65b38b9a5574bb362c13fa1d9

git.kernel.org/...c/e352acdd378e9263cc4c6018e588f2dac7161d07

git.kernel.org/...c/ee4222052a76559c20e821bc3519cefb58b6d3e9

git.kernel.org/...c/4d244b731188e0b63fc40a9d2dec72e9181fb37c

git.kernel.org/...c/11f11ac281f0c0b363d2940204f28bae0422ed71

git.kernel.org/...c/0b700f7d06492de34964b6f414120043364f8191

git.kernel.org/...c/7da6169b6ebb75816b57be3beb829afa74f3b4b6

git.kernel.org/...c/5abf2b761b998063f5e2bae93fd4ab10e2a80f10

git.kernel.org/...c/d1e0df1c57bd30871dd1c855742a7c346dbca853

cve.org (CVE-2022-49235)

nvd.nist.gov (CVE-2022-49235)

Download JSON