CVE-2022-49112 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
mt76: fix monitor mode crash with sdio driver
mt7921s driver may receive frames with fragment buffers. If there is a CTS packet received in monitor mode, the payload is 10 bytes only and need 6 bytes header padding after RXD buffer. However, only RXD in the first linear buffer, if we pull buffer size RXD-size+6 bytes with skb_pull(), that would trigger "BUG_ON(skb->len data_len)" in __skb_pull().
To avoid the nonlinear buffer issue, enlarge the RXD size from 128 to 256 to make sure all MCU operation in linear buffer.
[ 52.007562] kernel BUG at include/linux/skbuff.h:2313!
[ 52.007578] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[ 52.007987] pc : skb_pull+0x48/0x4c
[ 52.008015] lr : mt7921_queue_rx_skb+0x494/0x890 [mt7921_common]
[ 52.008361] Call trace:
[ 52.008377] skb_pull+0x48/0x4c
[ 52.008400] mt76s_net_worker+0x134/0x1b0 [mt76_sdio 35339a92c6eb7d4bbcc806a1d22f56365565135c]
[ 52.008431] __mt76_worker_fn+0xe8/0x170 [mt76 ef716597d11a77150bc07e3fdd68eeb0f9b56917]
[ 52.008449] kthread+0x148/0x3ac
[ 52.008466] ret_from_fork+0x10/0x30
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/15/2025
This vulnerability affects the linux kernel's mt7921s wireless driver implementation, specifically within the sdio subsystem where monitor mode operations trigger a critical memory corruption issue. The flaw manifests when the driver receives CTS packets during monitor mode operations, which contain only 10 bytes of actual payload data but require 6 bytes of header padding after the RXD buffer. The root cause lies in how the driver handles fragmented buffer structures during packet processing, creating a scenario where memory access violations occur due to improper buffer management.
The technical implementation flaw stems from the driver's handling of linear versus non-linear buffer structures within the socket buffer (skb) framework. When the mt7921s driver attempts to process received frames using skb_pull() function, it pulls a specific byte count from the buffer that exceeds the available data length in fragmented scenarios. This triggers an internal kernel assertion failure at include/linux/skbuff.h:2313, specifically the BUG_ON(skb->len < data_len) check that validates buffer integrity. The crash occurs because the driver assumes all buffer operations will maintain linear memory structures, but fragment buffers can cause memory layout inconsistencies during the pull operation.
The operational impact of this vulnerability represents a significant reliability concern for wireless network operations, particularly in environments where monitor mode functionality is utilized for network analysis or debugging purposes. The crash results in immediate system instability and potential denial of service conditions affecting wireless connectivity. This vulnerability affects devices using the MediaTek mt7921s wireless chipset through sdio interface, potentially impacting a wide range of embedded systems, routers, and networking equipment that rely on this specific wireless controller. The issue demonstrates a critical gap in buffer management validation that could be exploited to cause system crashes or potentially provide a pathway for privilege escalation in certain scenarios.
The fix implemented addresses the core buffer management issue by increasing the RXD buffer size from 128 to 256 bytes, ensuring that all MCU operations can be performed within linear buffer structures without triggering the memory corruption scenario. This solution aligns with common security practices for preventing buffer overflows and memory corruption issues by eliminating the conditions that lead to the problematic buffer manipulation. The mitigation strategy specifically targets the underlying architectural assumption that buffer operations will maintain linear memory characteristics, preventing the kernel's internal assertion from triggering. This approach follows established security principles for embedded systems and kernel-level drivers, where buffer size management and memory layout validation are critical for system stability and security. The vulnerability demonstrates characteristics consistent with CWE-129, which addresses improper validation of buffer boundaries, and could potentially map to ATT&CK technique T1059.001 for system command execution through kernel-level memory corruption.