GHSA-4M5X-VW6P-2W8C

Vulnerability from github – Published: 2025-12-24 15:30 – Updated: 2025-12-24 15:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out

syzkaller reported use-after-free with the stack trace like below [1]:

[ 38.960489][ C3] ================================================================== [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 [ 38.966363][ C3] [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 [ 38.969959][ C3] Call Trace: [ 38.970841][ C3] [ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 [ 38.972620][ C3] print_report.cold+0x2c3/0x752 [ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.974644][ C3] kasan_report+0xb1/0x1d0 [ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 [ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 [ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 [ 38.981266][ C3] dummy_timer+0x140c/0x34e0 [ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 [ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.986242][ C3] ? lock_release+0x51c/0x790 [ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 [ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 [ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 38.990777][ C3] ? lock_acquire+0x472/0x550 [ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.993138][ C3] ? lock_acquire+0x472/0x550 [ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 [ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 [ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 [ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 [ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 [ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 [ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 [ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 [ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 [ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 [ 39.016196][ C3] __do_softirq+0x1d2/0x9be [ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 [ 39.019004][ C3] irq_exit_rcu+0x5/0x20 [ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 [ 39.021965][ C3] [ 39.023237][ C3]

In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below (there are other functions which finally call ar5523_cmd()):

ar5523_probe() -> ar5523_host_available() -> ar5523_cmd_read() -> ar5523_cmd()

If ar5523_cmd() timed out, then ar5523_host_available() failed and ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() might touch the freed structure.

This patch fixes this issue by canceling in-flight tx cmd if submitted urb timed out.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50716"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T13:15:58Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ar5523: Fix use-after-free on ar5523_cmd() timed out\n\nsyzkaller reported use-after-free with the stack trace like below [1]:\n\n[   38.960489][    C3] ==================================================================\n[   38.963216][    C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240\n[   38.964950][    C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0\n[   38.966363][    C3]\n[   38.967053][    C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18\n[   38.968464][    C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014\n[   38.969959][    C3] Call Trace:\n[   38.970841][    C3]  \u003cIRQ\u003e\n[   38.971663][    C3]  dump_stack_lvl+0xfc/0x174\n[   38.972620][    C3]  print_report.cold+0x2c3/0x752\n[   38.973626][    C3]  ? ar5523_cmd_tx_cb+0x220/0x240\n[   38.974644][    C3]  kasan_report+0xb1/0x1d0\n[   38.975720][    C3]  ? ar5523_cmd_tx_cb+0x220/0x240\n[   38.976831][    C3]  ar5523_cmd_tx_cb+0x220/0x240\n[   38.978412][    C3]  __usb_hcd_giveback_urb+0x353/0x5b0\n[   38.979755][    C3]  usb_hcd_giveback_urb+0x385/0x430\n[   38.981266][    C3]  dummy_timer+0x140c/0x34e0\n[   38.982925][    C3]  ? notifier_call_chain+0xb5/0x1e0\n[   38.984761][    C3]  ? rcu_read_lock_sched_held+0xb/0x60\n[   38.986242][    C3]  ? lock_release+0x51c/0x790\n[   38.987323][    C3]  ? _raw_read_unlock_irqrestore+0x37/0x70\n[   38.988483][    C3]  ? __wake_up_common_lock+0xde/0x130\n[   38.989621][    C3]  ? reacquire_held_locks+0x4a0/0x4a0\n[   38.990777][    C3]  ? lock_acquire+0x472/0x550\n[   38.991919][    C3]  ? rcu_read_lock_sched_held+0xb/0x60\n[   38.993138][    C3]  ? lock_acquire+0x472/0x550\n[   38.994890][    C3]  ? dummy_urb_enqueue+0x860/0x860\n[   38.996266][    C3]  ? do_raw_spin_unlock+0x16f/0x230\n[   38.997670][    C3]  ? dummy_urb_enqueue+0x860/0x860\n[   38.999116][    C3]  call_timer_fn+0x1a0/0x6a0\n[   39.000668][    C3]  ? add_timer_on+0x4a0/0x4a0\n[   39.002137][    C3]  ? reacquire_held_locks+0x4a0/0x4a0\n[   39.003809][    C3]  ? __next_timer_interrupt+0x226/0x2a0\n[   39.005509][    C3]  __run_timers.part.0+0x69a/0xac0\n[   39.007025][    C3]  ? dummy_urb_enqueue+0x860/0x860\n[   39.008716][    C3]  ? call_timer_fn+0x6a0/0x6a0\n[   39.010254][    C3]  ? cpuacct_percpu_seq_show+0x10/0x10\n[   39.011795][    C3]  ? kvm_sched_clock_read+0x14/0x40\n[   39.013277][    C3]  ? sched_clock_cpu+0x69/0x2b0\n[   39.014724][    C3]  run_timer_softirq+0xb6/0x1d0\n[   39.016196][    C3]  __do_softirq+0x1d2/0x9be\n[   39.017616][    C3]  __irq_exit_rcu+0xeb/0x190\n[   39.019004][    C3]  irq_exit_rcu+0x5/0x20\n[   39.020361][    C3]  sysvec_apic_timer_interrupt+0x8f/0xb0\n[   39.021965][    C3]  \u003c/IRQ\u003e\n[   39.023237][    C3]  \u003cTASK\u003e\n\nIn ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below\n(there are other functions which finally call ar5523_cmd()):\n\nar5523_probe()\n-\u003e ar5523_host_available()\n   -\u003e ar5523_cmd_read()\n      -\u003e ar5523_cmd()\n\nIf ar5523_cmd() timed out, then ar5523_host_available() failed and\nar5523_probe() freed the device structure.  So, ar5523_cmd_tx_cb()\nmight touch the freed structure.\n\nThis patch fixes this issue by canceling in-flight tx cmd if submitted\nurb timed out.",
  "id": "GHSA-4m5x-vw6p-2w8c",
  "modified": "2025-12-24T15:30:32Z",
  "published": "2025-12-24T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50716"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/340524ae7b53a72cf5d9e7bd7790433422b3b12f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/601ae89375033ac4870c086e24ba03f235d38e55"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6447beefd21326a3f4719ec2ea511df797f6c820"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7360b323e0343ea099091d4ae09576dbe1f09516"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8af52492717e3538eba3f81d012b1476af8a89a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9aef34e1ae35a87e5f6a22278c17823b7ce64c88"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b6702a942a069c2a975478d719e98d83cdae1797"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c9ba3fbf6a488da6cad1d304c5234bd8d729eba3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.