| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022655-CVE-2022-49073-0a26@gregkh> Date: Wed, 26 Feb 2025 02:54:38 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49073: ata: sata_dwc_460ex: Fix crash due to OOB write Description =========== In the Linux kernel, the following vulnerability has been resolved: ata: sata_dwc_460ex: Fix crash due to OOB write the driver uses libata's "tag" values from in various arrays. Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32, the value of the SATA_DWC_QCMD_MAX needs to account for that. Otherwise ATA_TAG_INTERNAL usage cause similar crashes like this as reported by Tice Rex on the OpenWrt Forum and reproduced (with symbols) here: | BUG: Kernel NULL pointer dereference at 0x00000000 | Faulting instruction address: 0xc03ed4b8 | Oops: Kernel access of bad area, sig: 11 [#1] | BE PAGE_SIZE=4K PowerPC 44x Platform | CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0 | NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c | REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163) | MSR: 00021000 <CE,ME> CR: 42000222 XER: 00000000 | DEAR: 00000000 ESR: 00000000 | GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...] | [..] | NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254 | LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc | Call Trace: | [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable) | [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc | [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524 | [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0 | [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204 | [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130 | [...] This is because sata_dwc_dma_xfer_complete() NULLs the dma_pending's next neighbour "chan" (a *dma_chan struct) in this '32' case right here (line ~735): > hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE; Then the next time, a dma gets issued; dma_dwc_xfer_setup() passes the NULL'd hsdevp->chan to the dmaengine_slave_config() which then causes the crash. With this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1. This avoids the OOB. But please note, there was a worthwhile discussion on what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not be a "fake" 33 command-long queue size. Ideally, the dw driver should account for the ATA_TAG_INTERNAL. In Damien Le Moal's words: "... having looked at the driver, it is a bigger change than just faking a 33rd "tag" that is in fact not a command tag at all." BugLink: https://github.com/openwrt/openwrt/issues/9505 The Linux kernel CVE team has assigned CVE-2022-49073 to this issue. Affected and fixed versions =========================== Issue introduced in 4.18 with commit 28361c403683c2b00d4f5e76045f3ccd299bf99d and fixed in 4.19.238 with commit 596c7efd69aae94f4b0e91172b075eb197958b99 Issue introduced in 4.18 with commit 28361c403683c2b00d4f5e76045f3ccd299bf99d and fixed in 5.4.189 with commit 55e1465ba79562a191708a40eeae3f8082a209e3 Issue introduced in 4.18 with commit 28361c403683c2b00d4f5e76045f3ccd299bf99d and fixed in 5.10.111 with commit fc629224aa62f23849cae83717932985ac51232d Issue introduced in 4.18 with commit 28361c403683c2b00d4f5e76045f3ccd299bf99d and fixed in 5.15.34 with commit 8a05a6952ecd59aaa62cbdcdaf523ae2c8f436e8 Issue introduced in 4.18 with commit 28361c403683c2b00d4f5e76045f3ccd299bf99d and fixed in 5.16.20 with commit 234c0132f76f0676d175757f61b0025191a3d935 Issue introduced in 4.18 with commit 28361c403683c2b00d4f5e76045f3ccd299bf99d and fixed in 5.17.3 with commit 3a8751c0d4e24129e72dcec0139e99833b13904a Issue introduced in 4.18 with commit 28361c403683c2b00d4f5e76045f3ccd299bf99d and fixed in 5.18 with commit 7aa8104a554713b685db729e66511b93d989dd6a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49073 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/ata/sata_dwc_460ex.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/596c7efd69aae94f4b0e91172b075eb197958b99 https://git.kernel.org/stable/c/55e1465ba79562a191708a40eeae3f8082a209e3 https://git.kernel.org/stable/c/fc629224aa62f23849cae83717932985ac51232d https://git.kernel.org/stable/c/8a05a6952ecd59aaa62cbdcdaf523ae2c8f436e8 https://git.kernel.org/stable/c/234c0132f76f0676d175757f61b0025191a3d935 https://git.kernel.org/stable/c/3a8751c0d4e24129e72dcec0139e99833b13904a https://git.kernel.org/stable/c/7aa8104a554713b685db729e66511b93d989dd6a
Powered by blists - more mailing lists