| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: sata_dwc_460ex: Fix crash due to OOB write\n\nthe driver uses libata's \"tag\" values from in various arrays.\nSince the mentioned patch bumped the ATA_TAG_INTERNAL to 32,\nthe value of the SATA_DWC_QCMD_MAX needs to account for that.\n\nOtherwise ATA_TAG_INTERNAL usage cause similar crashes like\nthis as reported by Tice Rex on the OpenWrt Forum and\nreproduced (with symbols) here:\n\n| BUG: Kernel NULL pointer dereference at 0x00000000\n| Faulting instruction address: 0xc03ed4b8\n| Oops: Kernel access of bad area, sig: 11 [#1]\n| BE PAGE_SIZE=4K PowerPC 44x Platform\n| CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0\n| NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c\n| REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163)\n| MSR: 00021000 <CE,ME> CR: 42000222 XER: 00000000\n| DEAR: 00000000 ESR: 00000000\n| GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...]\n| [..]\n| NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254\n| LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc\n| Call Trace:\n| [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable)\n| [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc\n| [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524\n| [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0\n| [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204\n| [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130\n| [...]\n\nThis is because sata_dwc_dma_xfer_complete() NULLs the\ndma_pending's next neighbour \"chan\" (a *dma_chan struct) in\nthis '32' case right here (line ~735):\n> hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE;\n\nThen the next time, a dma gets issued; dma_dwc_xfer_setup() passes\nthe NULL'd hsdevp->chan to the dmaengine_slave_config() which then\ncauses the crash.\n\nWith this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1.\nThis avoids the OOB. But please note, there was a worthwhile discussion\non what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not\nbe a \"fake\" 33 command-long queue size.\n\nIdeally, the dw driver should account for the ATA_TAG_INTERNAL.\nIn Damien Le Moal's words: \"... having looked at the driver, it\nis a bigger change than just faking a 33rd \"tag\" that is in fact\nnot a command tag at all.\"\n\nBugLink: https://github.com/openwrt/openwrt/issues/9505" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/ata/sata_dwc_460ex.c" |
| ], |
| "versions": [ |
| { |
| "version": "28361c403683c2b00d4f5e76045f3ccd299bf99d", |
| "lessThan": "596c7efd69aae94f4b0e91172b075eb197958b99", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "28361c403683c2b00d4f5e76045f3ccd299bf99d", |
| "lessThan": "55e1465ba79562a191708a40eeae3f8082a209e3", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "28361c403683c2b00d4f5e76045f3ccd299bf99d", |
| "lessThan": "fc629224aa62f23849cae83717932985ac51232d", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "28361c403683c2b00d4f5e76045f3ccd299bf99d", |
| "lessThan": "8a05a6952ecd59aaa62cbdcdaf523ae2c8f436e8", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "28361c403683c2b00d4f5e76045f3ccd299bf99d", |
| "lessThan": "234c0132f76f0676d175757f61b0025191a3d935", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "28361c403683c2b00d4f5e76045f3ccd299bf99d", |
| "lessThan": "3a8751c0d4e24129e72dcec0139e99833b13904a", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "28361c403683c2b00d4f5e76045f3ccd299bf99d", |
| "lessThan": "7aa8104a554713b685db729e66511b93d989dd6a", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/ata/sata_dwc_460ex.c" |
| ], |
| "versions": [ |
| { |
| "version": "4.18", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "4.18", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "4.19.238", |
| "lessThanOrEqual": "4.19.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.4.189", |
| "lessThanOrEqual": "5.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.111", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.34", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.16.20", |
| "lessThanOrEqual": "5.16.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.17.3", |
| "lessThanOrEqual": "5.17.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.18", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "4.19.238" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "5.4.189" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "5.10.111" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "5.15.34" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "5.16.20" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "5.17.3" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.18", |
| "versionEndExcluding": "5.18" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/596c7efd69aae94f4b0e91172b075eb197958b99" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/55e1465ba79562a191708a40eeae3f8082a209e3" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/fc629224aa62f23849cae83717932985ac51232d" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/8a05a6952ecd59aaa62cbdcdaf523ae2c8f436e8" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/234c0132f76f0676d175757f61b0025191a3d935" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/3a8751c0d4e24129e72dcec0139e99833b13904a" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/7aa8104a554713b685db729e66511b93d989dd6a" |
| } |
| ], |
| "title": "ata: sata_dwc_460ex: Fix crash due to OOB write", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2022-49073", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
