CVE-2022-49073
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49073
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49073.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49073
- Related
- Published
- 2025-02-26T07:00:44Z
- Modified
- 2025-02-26T19:00:55.479008Z
- Downstream
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ata: satadwc460ex: Fix crash due to OOB write
the driver uses libata's "tag" values from in various arrays. Since the mentioned patch bumped the ATATAGINTERNAL to 32, the value of the SATADWCQCMD_MAX needs to account for that.
Otherwise ATATAGINTERNAL usage cause similar crashes like this as reported by Tice Rex on the OpenWrt Forum and reproduced (with symbols) here:
| BUG: Kernel NULL pointer dereference at 0x00000000 | Faulting instruction address: 0xc03ed4b8 | Oops: Kernel access of bad area, sig: 11 [#1] | BE PAGESIZE=4K PowerPC 44x Platform | CPU: 0 PID: 362 Comm: scsieh1 Not tainted 5.4.163 #0 | NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c | REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163) | MSR: 00021000 <CE,ME> CR: 42000222 XER: 00000000 | DEAR: 00000000 ESR: 00000000 | GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...] | [..] | NIP [c03ed4b8] satadwcqcissue+0x14c/0x254 | LR [c03d27e8] ataqcissue+0x1c8/0x2dc | Call Trace: | [cfa59a08] [c003f4e0] _cancelworktimer+0x124/0x194 (unreliable) | [cfa59a78] [c03d27e8] ataqcissue+0x1c8/0x2dc | [cfa59a98] [c03d2b3c] ataexecinternalsg+0x240/0x524 | [cfa59b08] [c03d2e98] ataexecinternal+0x78/0xe0 | [cfa59b58] [c03d30fc] atareadlogpage.part.38+0x1dc/0x204 | [cfa59bc8] [c03d324c] ataidentifypagesupported+0x68/0x130 | [...]
This is because satadwcdmaxfercomplete() NULLs the dmapending's next neighbour "chan" (a *dmachan struct) in this '32' case right here (line ~735):
hsdevp->dmapending[tag] = SATADWCDMAPENDING_NONE;
Then the next time, a dma gets issued; dmadwcxfersetup() passes the NULL'd hsdevp->chan to the dmaengineslave_config() which then causes the crash.
With this patch, SATADWCQCMDMAX is now set to ATAMAXQUEUE + 1. This avoids the OOB. But please note, there was a worthwhile discussion on what ATATAGINTERNAL and ATAMAX_QUEUE is. And why there should not be a "fake" 33 command-long queue size.
Ideally, the dw driver should account for the ATATAGINTERNAL. In Damien Le Moal's words: "... having looked at the driver, it is a bigger change than just faking a 33rd "tag" that is in fact not a command tag at all."
BugLink: https://github.com/openwrt/openwrt/issues/9505
- References
-
- https://git.kernel.org/stable/c/234c0132f76f0676d175757f61b0025191a3d935
- https://git.kernel.org/stable/c/3a8751c0d4e24129e72dcec0139e99833b13904a
- https://git.kernel.org/stable/c/55e1465ba79562a191708a40eeae3f8082a209e3
- https://git.kernel.org/stable/c/596c7efd69aae94f4b0e91172b075eb197958b99
- https://git.kernel.org/stable/c/7aa8104a554713b685db729e66511b93d989dd6a
- https://git.kernel.org/stable/c/8a05a6952ecd59aaa62cbdcdaf523ae2c8f436e8
- https://git.kernel.org/stable/c/fc629224aa62f23849cae83717932985ac51232d
- https://security-tracker.debian.org/tracker/CVE-2022-49073
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.113-1
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source