CVE-2022-48875
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48875
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48875.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-48875
- Related
- Published
- 2024-08-21T07:15:04Z
- Modified
- 2024-09-18T03:22:39.167091Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: sdata can be NULL during AMPDU start
ieee80211txbasessionhandle_start() may get NULL for sdata when a deauthentication is ongoing.
Here a trace triggering the race with the hostapd test multiapfronthaulonap:
(gdb) list *drvampduaction+0x46 0x8b16 is in drvampduaction (net/mac80211/driver-ops.c:396). 391 int ret = -EOPNOTSUPP; 392 393 mightsleep(); 394 395 sdata = getbsssdata(sdata); 396 if (!checksdataindriver(sdata)) 397 return -EIO; 398 399 tracedrvampdu_action(local, sdata, params); 400
wlan0: moving STA 02:00:00:00:03:00 to state 3 wlan0: associated wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTHLEAVING) wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0 wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port) wlan0: moving STA 02:00:00:00:03:00 to state 2 wlan0: moving STA 02:00:00:00:03:00 to state 1 wlan0: Removed STA 02:00:00:00:03:00 wlan0: Destroyed STA 02:00:00:00:03:00 BUG: unable to handle page fault for address: fffffffffffffb48 PGD 11814067 P4D 11814067 PUD 11816067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807005459-localhost 04/01/2014 Workqueue: phy3 ieee80211basessionwork [mac80211] RIP: 0010:drvampduaction+0x46/0x280 [mac80211] Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85 RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287 RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240 RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40 RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0 R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8 FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0 Call Trace: <TASK> ieee80211txbasessionhandlestart+0xd0/0x190 [mac80211] ieee80211basessionwork+0xff/0x2e0 [mac80211] processonework+0x29f/0x620 workerthread+0x4d/0x3d0 ? processonework+0x620/0x620 kthread+0xfb/0x120 ? kthreadcompleteandexit+0x20/0x20 retfrom_fork+0x22/0x30 </TASK>
- References
-
- https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef
- https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df
- https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e
- https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949
- https://security-tracker.debian.org/tracker/CVE-2022-48875
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.178-1
Affected versions
5.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source