CVE-2022-50279 (GCVE-0-2022-50279)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2025-09-15 14:21
VLAI?
Title
wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() There is a global-out-of-bounds reported by KASAN: BUG: KASAN: global-out-of-bounds in _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411 CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D 6.1.0-rc8+ #144 e15588508517267d37 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), Call Trace: <TASK> ... kasan_report+0xbb/0x1c0 _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae] rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae] ... </TASK> The root cause of the problem is that the comparison order of "prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two strings from tail to head, which causes the problem. In the _rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet this requirement by carefully designing the comparison order. For example, "pregulation" and "pbandwidth" are compared in order of length from small to large, first is 3 and last is 4. However, the comparison order of "prate_section" dose not obey such order requirement, therefore when "prate_section" is "HT", when comparing from tail to head, it will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As mentioned above, the _rtl8812ae_eq_n_byte() has the same function as strcmp(), so just strcmp() is enough. Fix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely. Although it can be fixed by adjusting the comparison order of "prate_section", this may cause the value of "rate_section" to not be from 0 to 5. In addition, commit "21e4b0726dc6" not only moved driver from staging to regular tree, but also added setting txpower limit function during the driver config phase, so the problem was introduced by this commit.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 21e4b0726dc671c423e2dc9a85364716219c4502 , < fc3442247716fc426bbcf62ed65e086e48a6d44f (git)
Affected: 21e4b0726dc671c423e2dc9a85364716219c4502 , < 28ea268d95e57cdf6394a058f0d854206d478772 (git)
Affected: 21e4b0726dc671c423e2dc9a85364716219c4502 , < 1e950b9a841bc96e98ee25680d5c7aa305120be1 (git)
Affected: 21e4b0726dc671c423e2dc9a85364716219c4502 , < 0c962dcd6bf64b78eaffc09e497a2beb4e48bc32 (git)
Affected: 21e4b0726dc671c423e2dc9a85364716219c4502 , < f1fe40120de6ad4ffa8299fde035a5feba10d4fb (git)
Affected: 21e4b0726dc671c423e2dc9a85364716219c4502 , < 057b52461dc005ecd85a3e4998913b1492ec0f72 (git)
Affected: 21e4b0726dc671c423e2dc9a85364716219c4502 , < 117dbeda22ec5ea0918254d03b540ef8b8a64d53 (git)
Create a notification for this product.
    Linux Linux Affected: 3.18
Unaffected: 0 , < 3.18 (semver)
Unaffected: 4.19.276 , ≤ 4.19.* (semver)
Unaffected: 5.4.235 , ≤ 5.4.* (semver)
Unaffected: 5.10.173 , ≤ 5.10.* (semver)
Unaffected: 5.15.99 , ≤ 5.15.* (semver)
Unaffected: 6.1.16 , ≤ 6.1.* (semver)
Unaffected: 6.2.3 , ≤ 6.2.* (semver)
Unaffected: 6.3 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fc3442247716fc426bbcf62ed65e086e48a6d44f",
              "status": "affected",
              "version": "21e4b0726dc671c423e2dc9a85364716219c4502",
              "versionType": "git"
            },
            {
              "lessThan": "28ea268d95e57cdf6394a058f0d854206d478772",
              "status": "affected",
              "version": "21e4b0726dc671c423e2dc9a85364716219c4502",
              "versionType": "git"
            },
            {
              "lessThan": "1e950b9a841bc96e98ee25680d5c7aa305120be1",
              "status": "affected",
              "version": "21e4b0726dc671c423e2dc9a85364716219c4502",
              "versionType": "git"
            },
            {
              "lessThan": "0c962dcd6bf64b78eaffc09e497a2beb4e48bc32",
              "status": "affected",
              "version": "21e4b0726dc671c423e2dc9a85364716219c4502",
              "versionType": "git"
            },
            {
              "lessThan": "f1fe40120de6ad4ffa8299fde035a5feba10d4fb",
              "status": "affected",
              "version": "21e4b0726dc671c423e2dc9a85364716219c4502",
              "versionType": "git"
            },
            {
              "lessThan": "057b52461dc005ecd85a3e4998913b1492ec0f72",
              "status": "affected",
              "version": "21e4b0726dc671c423e2dc9a85364716219c4502",
              "versionType": "git"
            },
            {
              "lessThan": "117dbeda22ec5ea0918254d03b540ef8b8a64d53",
              "status": "affected",
              "version": "21e4b0726dc671c423e2dc9a85364716219c4502",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.18"
            },
            {
              "lessThan": "3.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.173",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.276",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.235",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.173",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.99",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.16",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.3",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()\n\nThere is a global-out-of-bounds reported by KASAN:\n\n  BUG: KASAN: global-out-of-bounds in\n  _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]\n  Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411\n\n  CPU: 6 PID: 411 Comm: NetworkManager Tainted: G      D\n  6.1.0-rc8+ #144 e15588508517267d37\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),\n  Call Trace:\n   \u003cTASK\u003e\n   ...\n   kasan_report+0xbb/0x1c0\n   _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]\n   rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae]\n   rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae]\n   ...\n   \u003c/TASK\u003e\n\nThe root cause of the problem is that the comparison order of\n\"prate_section\" in _rtl8812ae_phy_set_txpower_limit() is wrong. The\n_rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two\nstrings from tail to head, which causes the problem. In the\n_rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet\nthis requirement by carefully designing the comparison order.\nFor example, \"pregulation\" and \"pbandwidth\" are compared in order of\nlength from small to large, first is 3 and last is 4. However, the\ncomparison order of \"prate_section\" dose not obey such order requirement,\ntherefore when \"prate_section\" is \"HT\", when comparing from tail to head,\nit will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As\nmentioned above, the _rtl8812ae_eq_n_byte() has the same function as\nstrcmp(), so just strcmp() is enough.\n\nFix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely.\nAlthough it can be fixed by adjusting the comparison order of\n\"prate_section\", this may cause the value of \"rate_section\" to not be\nfrom 0 to 5. In addition, commit \"21e4b0726dc6\" not only moved driver\nfrom staging to regular tree, but also added setting txpower limit\nfunction during the driver config phase, so the problem was introduced\nby this commit."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-15T14:21:16.051Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fc3442247716fc426bbcf62ed65e086e48a6d44f"
        },
        {
          "url": "https://git.kernel.org/stable/c/28ea268d95e57cdf6394a058f0d854206d478772"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e950b9a841bc96e98ee25680d5c7aa305120be1"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c962dcd6bf64b78eaffc09e497a2beb4e48bc32"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1fe40120de6ad4ffa8299fde035a5feba10d4fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/057b52461dc005ecd85a3e4998913b1492ec0f72"
        },
        {
          "url": "https://git.kernel.org/stable/c/117dbeda22ec5ea0918254d03b540ef8b8a64d53"
        }
      ],
      "title": "wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50279",
    "datePublished": "2025-09-15T14:21:16.051Z",
    "dateReserved": "2025-09-15T13:58:00.976Z",
    "dateUpdated": "2025-09-15T14:21:16.051Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.