A vulnerability was found in ath9k_htc_probe_device in drivers/net/wireless/ath/ath9k/htc_drv_init.c in the Linux kernel. In this flaw, a local user may gain access to kernel memory, leading to a system crash or a leak of internal kernel information. In more details. After ieee80211_alloc_hw executes finished, it saves variable priv into htc_handle->drv_priv. Then, if function ath9k_htc_wait_for_target executes failed, it directly frees variable hw by function ieee80211_free_hw, but it doesn't clear htc_handle->drv_priv. At now, the usb communication channel has been established. Function ath9k_hif_usb_rx_stream is used to process received messages. It calls macro RX_STAT_INC to count packets' number. And this macro uses htc_handle->drv_priv which has been freed before. Reference: https://lore.kernel.org/lkml/87ilqc7jv9.fsf@kernel.org/t/
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2086288]
This was fixed for Fedora with the 5.18.18 stable kernel update.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7933 https://access.redhat.com/errata/RHSA-2022:7933
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8267 https://access.redhat.com/errata/RHSA-2022:8267
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2736 https://access.redhat.com/errata/RHSA-2023:2736
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2951 https://access.redhat.com/errata/RHSA-2023:2951
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1679
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412