CVE-2022-49238

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49238
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49238.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49238
Downstream
Related
Published
2025-02-26T01:56:01Z
Modified
2025-10-21T09:01:11.998511Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855
Details

In the Linux kernel, the following vulnerability has been resolved:

ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855

Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI command sequence, but actually skip all the peer delete operation, then it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon peer delete failure") not take effect, and then happened a use-after-free warning from KASAN. because the peer->sta is not set to NULL and then used later.

Change to only skip the WMIPEERDELETE_CMDID for QCA6390/WCN6855.

log of user-after-free:

[ 534.888665] BUG: KASAN: use-after-free in ath11kdprxupdatepeer_stats+0x912/0xc10 [ath11k] [ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860

[ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523 [ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 534.888716] Call Trace: [ 534.888720] <IRQ> [ 534.888726] dumpstacklvl+0x57/0x7d [ 534.888736] printaddressdescription.constprop.0+0x1f/0x170 [ 534.888745] ? ath11kdprxupdatepeerstats+0x912/0xc10 [ath11k] [ 534.888771] kasanreport.cold+0x83/0xdf [ 534.888783] ? ath11kdprxupdatepeerstats+0x912/0xc10 [ath11k] [ 534.888810] ath11kdprxupdatepeerstats+0x912/0xc10 [ath11k] [ 534.888840] ath11kdprxprocessmonstatus+0x529/0xa70 [ath11k] [ 534.888874] ? ath11kdprxmonstatusbufsreplenish+0x3f0/0x3f0 [ath11k] [ 534.888897] ? checkprevadd+0x20f0/0x20f0 [ 534.888922] ? _lockacquire+0xb72/0x1870 [ 534.888937] ? findheldlock+0x33/0x110 [ 534.888954] ath11kdprxprocessmonrings+0x297/0x520 [ath11k] [ 534.888981] ? rcureadunlock+0x40/0x40 [ 534.888990] ? ath11kdprxpdevalloc+0xd90/0xd90 [ath11k] [ 534.889026] ath11kdpservicemonring+0x67/0xe0 [ath11k] [ 534.889053] ? ath11kdprxprocessmonrings+0x520/0x520 [ath11k] [ 534.889075] calltimerfn+0x167/0x4a0 [ 534.889084] ? addtimeron+0x3b0/0x3b0 [ 534.889103] ? lockdephardirqsonprepare.part.0+0x18c/0x370 [ 534.889117] _runtimers.part.0+0x539/0x8b0 [ 534.889123] ? ath11kdprxprocessmonrings+0x520/0x520 [ath11k] [ 534.889157] ? calltimerfn+0x4a0/0x4a0 [ 534.889164] ? marklockirq+0x1c30/0x1c30 [ 534.889173] ? clockeventsprogramevent+0xdd/0x280 [ 534.889189] ? markheldlocks+0xa5/0xe0 [ 534.889203] runtimersoftirq+0x97/0x180 [ 534.889213] _dosoftirq+0x276/0x86a [ 534.889230] _irqexitrcu+0x11c/0x180 [ 534.889238] irqexitrcu+0x5/0x20 [ 534.889244] sysvecapictimerinterrupt+0x8e/0xc0 [ 534.889251] </IRQ> [ 534.889254] <TASK> [ 534.889259] asmsysvecapictimerinterrupt+0x12/0x20 [ 534.889265] RIP: 0010:rawspinunlockirqrestore+0x38/0x70 [ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee [ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206 [ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10 [ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001 [ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f [ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68 [ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000 [ 534.889316] ? marklock+0xd0/0x14a0 [ 534.889332] klistnext+0x1d4/0x450 [ 534.889340] ? dpmwaitforsubordinate+0x2d0/0x2d0 [ 534.889350] deviceforeachchild+0xa8/0x140 [ 534.889360] ? deviceremoveclasssymlinks+0x1b0/0x1b0 [ 534.889370] ? _lockrelease+0x4bd/0x9f0 [ 534.889378] ? dpmsuspend+0x26b/0x3f0 [ 534.889390] dpmwaitforsubordinate+ ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b4a0f54156ac7720de1750b6ea06657c91c52163
Fixed
400705c50bbf184794c885d1efad7fe9ccf1471a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b4a0f54156ac7720de1750b6ea06657c91c52163
Fixed
212ad7cb7d7592669c067125949e0a8e31ce6a0b

Affected versions

v5.*

v5.15
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-49238-2dce16b4",
        "target": {
            "function": "ath11k_mac_op_sta_state",
            "file": "drivers/net/wireless/ath/ath11k/mac.c"
        },
        "signature_version": "v1",
        "digest": {
            "length": 3460.0,
            "function_hash": "18027209572686982253580271489999586725"
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@212ad7cb7d7592669c067125949e0a8e31ce6a0b",
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-49238-7ffbc565",
        "target": {
            "file": "drivers/net/wireless/ath/ath11k/mac.c"
        },
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "325581128503249018823793668234047703284",
                "62598049392248037875872463216441439512",
                "59866360510713025699989986023949782993",
                "194679661504340778016340815156877779154",
                "200005046005414198529530833499107463045",
                "205387609788786972481049911222756673444",
                "142520572210152033162601022512448765077",
                "120956672491294995072697483116956658087",
                "71807672475449229067397283706871264172",
                "276621776832857192623685230397808932022",
                "140981983189996867850233303112449918718",
                "139340528319909337004023457461913676874",
                "25709070033374442173627006874462384935",
                "310367174131030736405555195876137649846",
                "307845206096454559529858154931421140648",
                "162960139928588696356497993643932733632",
                "139592550465775442293483139546565274385",
                "266923054417727469898215881961684669743",
                "191221604922140780748601128061029608440",
                "181989198422758030432824757402050706423",
                "278968857853353433755114679328802274008",
                "99217647263176554983379811270854469291"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@212ad7cb7d7592669c067125949e0a8e31ce6a0b",
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-49238-8c7293c3",
        "target": {
            "function": "ath11k_mac_op_sta_state",
            "file": "drivers/net/wireless/ath/ath11k/mac.c"
        },
        "signature_version": "v1",
        "digest": {
            "length": 3460.0,
            "function_hash": "18027209572686982253580271489999586725"
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@400705c50bbf184794c885d1efad7fe9ccf1471a",
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-49238-94cb4502",
        "target": {
            "file": "drivers/net/wireless/ath/ath11k/mac.c"
        },
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "325581128503249018823793668234047703284",
                "62598049392248037875872463216441439512",
                "59866360510713025699989986023949782993",
                "194679661504340778016340815156877779154",
                "200005046005414198529530833499107463045",
                "205387609788786972481049911222756673444",
                "142520572210152033162601022512448765077",
                "120956672491294995072697483116956658087",
                "71807672475449229067397283706871264172",
                "276621776832857192623685230397808932022",
                "140981983189996867850233303112449918718",
                "139340528319909337004023457461913676874",
                "25709070033374442173627006874462384935",
                "310367174131030736405555195876137649846",
                "307845206096454559529858154931421140648",
                "162960139928588696356497993643932733632",
                "139592550465775442293483139546565274385",
                "266923054417727469898215881961684669743",
                "191221604922140780748601128061029608440",
                "181989198422758030432824757402050706423",
                "278968857853353433755114679328802274008",
                "99217647263176554983379811270854469291"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@400705c50bbf184794c885d1efad7fe9ccf1471a",
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
5.17.2