FKIE_CVE-2022-50678

Vulnerability from fkie_nvd - Published: 2025-12-09 16:17 - Updated: 2025-12-09 18:37
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix invalid address access when enabling SCAN log level The variable i is changed when setting random MAC address and causes invalid address access when printing the value of pi->reqs[i]->reqid. We replace reqs index with ri to fix the issue. [ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ 136.737365] Mem abort info: [ 136.740172] ESR = 0x96000004 [ 136.743359] Exception class = DABT (current EL), IL = 32 bits [ 136.749294] SET = 0, FnV = 0 [ 136.752481] EA = 0, S1PTW = 0 [ 136.755635] Data abort info: [ 136.758514] ISV = 0, ISS = 0x00000004 [ 136.762487] CM = 0, WnR = 0 [ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577 [ 136.772265] [0000000000000000] pgd=0000000000000000 [ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O) [ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb) [ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1 [ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT) [ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO) [ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac] [ 136.828162] sp : ffff00000e9a3880 [ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400 [ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0 [ 136.842098] x25: ffff80002054345c x24: ffff800088d22400 [ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8 [ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400 [ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000 [ 136.863343] x17: 0000000000000000 x16: 0000000000000000 [ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050 [ 136.873966] x13: 0000000000003135 x12: 0000000000000000 [ 136.879277] x11: 0000000000000000 x10: ffff000009a61888 [ 136.884589] x9 : 000000000000000f x8 : 0000000000000008 [ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d [ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942 [ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8 [ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000 [ 136.911146] Call trace: [ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac] [ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac] [ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211] [ 136.937298] genl_rcv_msg+0x358/0x3f4 [ 136.940960] netlink_rcv_skb+0xb4/0x118 [ 136.944795] genl_rcv+0x34/0x48 [ 136.947935] netlink_unicast+0x264/0x300 [ 136.951856] netlink_sendmsg+0x2e4/0x33c [ 136.955781] __sys_sendto+0x120/0x19c
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1c12d47a9017a7745585b57b9b0fdc0d8c50978e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/50e45034c5802cedbf5b707364ea76ace29ad984
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/56a0ac48634155d2b866b99fba7e1dd8df4e2804
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/75995ce1c926ee87bf93d58977c766b4e7744715
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7ccb0529446ae68a8581916bfc95c353306d76ba
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/826405a911473b6ee8bd2aa891cb2f03a13efa17
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/aa666b68e73fc06d83c070d96180b9010cf5a960
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix invalid address access when enabling SCAN log level\n\nThe variable i is changed when setting random MAC address and causes\ninvalid address access when printing the value of pi-\u003ereqs[i]-\u003ereqid.\n\nWe replace reqs index with ri to fix the issue.\n\n[  136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000\n[  136.737365] Mem abort info:\n[  136.740172]   ESR = 0x96000004\n[  136.743359]   Exception class = DABT (current EL), IL = 32 bits\n[  136.749294]   SET = 0, FnV = 0\n[  136.752481]   EA = 0, S1PTW = 0\n[  136.755635] Data abort info:\n[  136.758514]   ISV = 0, ISS = 0x00000004\n[  136.762487]   CM = 0, WnR = 0\n[  136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577\n[  136.772265] [0000000000000000] pgd=0000000000000000\n[  136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[  136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)\n[  136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)\n[  136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G           O      4.19.42-00001-g531a5f5 #1\n[  136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)\n[  136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)\n[  136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]\n[  136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]\n[  136.828162] sp : ffff00000e9a3880\n[  136.831475] x29: ffff00000e9a3890 x28: ffff800020543400\n[  136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0\n[  136.842098] x25: ffff80002054345c x24: ffff800088d22400\n[  136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8\n[  136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400\n[  136.858032] x19: ffff00000e9a3946 x18: 0000000000000000\n[  136.863343] x17: 0000000000000000 x16: 0000000000000000\n[  136.868655] x15: ffff0000093f3b37 x14: 0000000000000050\n[  136.873966] x13: 0000000000003135 x12: 0000000000000000\n[  136.879277] x11: 0000000000000000 x10: ffff000009a61888\n[  136.884589] x9 : 000000000000000f x8 : 0000000000000008\n[  136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d\n[  136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942\n[  136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8\n[  136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000\n[  136.911146] Call trace:\n[  136.913623]  brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]\n[  136.919658]  brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]\n[  136.925430]  brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]\n[  136.931636]  nl80211_start_sched_scan+0x140/0x308 [cfg80211]\n[  136.937298]  genl_rcv_msg+0x358/0x3f4\n[  136.940960]  netlink_rcv_skb+0xb4/0x118\n[  136.944795]  genl_rcv+0x34/0x48\n[  136.947935]  netlink_unicast+0x264/0x300\n[  136.951856]  netlink_sendmsg+0x2e4/0x33c\n[  136.955781]  __sys_sendto+0x120/0x19c"
    }
  ],
  "id": "CVE-2022-50678",
  "lastModified": "2025-12-09T18:37:13.640",
  "metrics": {},
  "published": "2025-12-09T16:17:20.083",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1c12d47a9017a7745585b57b9b0fdc0d8c50978e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/50e45034c5802cedbf5b707364ea76ace29ad984"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/56a0ac48634155d2b866b99fba7e1dd8df4e2804"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/75995ce1c926ee87bf93d58977c766b4e7744715"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7ccb0529446ae68a8581916bfc95c353306d76ba"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/826405a911473b6ee8bd2aa891cb2f03a13efa17"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/aa666b68e73fc06d83c070d96180b9010cf5a960"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.