| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022610-CVE-2022-49592-f07c@gregkh> Date: Wed, 26 Feb 2025 03:22:35 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49592: net: stmmac: fix dma queue left shift overflow issue Description =========== In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix dma queue left shift overflow issue When queue number is > 4, left shift overflows due to 32 bits integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1. If CONFIG_UBSAN is enabled, kernel dumps below warning: [ 10.363842] ================================================================== [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 [ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 [ 10.363958] Call Trace: [ 10.363960] <TASK> [ 10.363963] dump_stack_lvl+0x4a/0x5f [ 10.363971] dump_stack+0x10/0x12 [ 10.363974] ubsan_epilogue+0x9/0x45 [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e [ 10.363979] ? wake_up_klogd+0x4a/0x50 [ 10.363983] ? vprintk_emit+0x8f/0x240 [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] [ 10.364050] __dev_open+0xf0/0x1a0 [ 10.364054] __dev_change_flags+0x188/0x1f0 [ 10.364057] dev_change_flags+0x26/0x60 [ 10.364059] do_setlink+0x908/0xc40 [ 10.364062] ? do_setlink+0xb10/0xc40 [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 [ 10.364068] __rtnl_newlink+0x597/0xa10 [ 10.364072] ? __nla_reserve+0x41/0x50 [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 [ 10.364079] ? pskb_expand_head+0x75/0x310 [ 10.364082] ? nla_reserve_64bit+0x21/0x40 [ 10.364086] ? skb_free_head+0x65/0x80 [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 [ 10.364094] ? __cond_resched+0x19/0x30 [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 [ 10.364100] rtnl_newlink+0x49/0x70 This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue mapping warning. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195 The Linux kernel CVE team has assigned CVE-2022-49592 to this issue. Affected and fixed versions =========================== Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 4.14.290 with commit ad2febdfbd01e1d092a08bfdba92ede79ea05ff3 Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 4.19.254 with commit 508d86ead36cbd8dfb60773a33276790d668c473 Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 5.4.208 with commit 573768dede0e2b7de38ecbc11cb3ee47643902dc Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 5.10.134 with commit a3ac79f38d354b10925824899cdbd2caadce55ba Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 5.15.58 with commit 7c687a893f5cae5ca40d189635602e93af9bab73 Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 5.18.15 with commit e846bde09677fa3b203057846620b7ed96540f5f Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 5.19 with commit 613b065ca32e90209024ec4a6bb5ca887ee70980 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49592 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ad2febdfbd01e1d092a08bfdba92ede79ea05ff3 https://git.kernel.org/stable/c/508d86ead36cbd8dfb60773a33276790d668c473 https://git.kernel.org/stable/c/573768dede0e2b7de38ecbc11cb3ee47643902dc https://git.kernel.org/stable/c/a3ac79f38d354b10925824899cdbd2caadce55ba https://git.kernel.org/stable/c/7c687a893f5cae5ca40d189635602e93af9bab73 https://git.kernel.org/stable/c/e846bde09677fa3b203057846620b7ed96540f5f https://git.kernel.org/stable/c/613b065ca32e90209024ec4a6bb5ca887ee70980
Powered by blists - more mailing lists