Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2022 / CVE-2022-49592.mbox
blob: 1cd26140d9451ea01a1c1fcb6c03fd77c3a3e5a5 [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2022-49592: net: stmmac: fix dma queue left shift overflow issue
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix dma queue left shift overflow issue
When queue number is > 4, left shift overflows due to 32 bits
integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.
If CONFIG_UBSAN is enabled, kernel dumps below warning:
[ 10.363842] ==================================================================
[ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/
linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12
[ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int'
[ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg
[ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021
[ 10.363958] Call Trace:
[ 10.363960] <TASK>
[ 10.363963] dump_stack_lvl+0x4a/0x5f
[ 10.363971] dump_stack+0x10/0x12
[ 10.363974] ubsan_epilogue+0x9/0x45
[ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e
[ 10.363979] ? wake_up_klogd+0x4a/0x50
[ 10.363983] ? vprintk_emit+0x8f/0x240
[ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]
[ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]
[ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]
[ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac]
[ 10.364030] ? page_pool_alloc_pages+0x4d/0x70
[ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]
[ 10.364042] stmmac_open+0x39e/0x920 [stmmac]
[ 10.364050] __dev_open+0xf0/0x1a0
[ 10.364054] __dev_change_flags+0x188/0x1f0
[ 10.364057] dev_change_flags+0x26/0x60
[ 10.364059] do_setlink+0x908/0xc40
[ 10.364062] ? do_setlink+0xb10/0xc40
[ 10.364064] ? __nla_validate_parse+0x4c/0x1a0
[ 10.364068] __rtnl_newlink+0x597/0xa10
[ 10.364072] ? __nla_reserve+0x41/0x50
[ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0
[ 10.364079] ? pskb_expand_head+0x75/0x310
[ 10.364082] ? nla_reserve_64bit+0x21/0x40
[ 10.364086] ? skb_free_head+0x65/0x80
[ 10.364089] ? security_sock_rcv_skb+0x2c/0x50
[ 10.364094] ? __cond_resched+0x19/0x30
[ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420
[ 10.364100] rtnl_newlink+0x49/0x70
This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue
mapping warning.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195
The Linux kernel CVE team has assigned CVE-2022-49592 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 4.14.290 with commit ad2febdfbd01e1d092a08bfdba92ede79ea05ff3
Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 4.19.254 with commit 508d86ead36cbd8dfb60773a33276790d668c473
Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 5.4.208 with commit 573768dede0e2b7de38ecbc11cb3ee47643902dc
Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 5.10.134 with commit a3ac79f38d354b10925824899cdbd2caadce55ba
Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 5.15.58 with commit 7c687a893f5cae5ca40d189635602e93af9bab73
Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 5.18.15 with commit e846bde09677fa3b203057846620b7ed96540f5f
Issue introduced in 4.12 with commit d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 and fixed in 5.19 with commit 613b065ca32e90209024ec4a6bb5ca887ee70980
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49592
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/ad2febdfbd01e1d092a08bfdba92ede79ea05ff3
https://git.kernel.org/stable/c/508d86ead36cbd8dfb60773a33276790d668c473
https://git.kernel.org/stable/c/573768dede0e2b7de38ecbc11cb3ee47643902dc
https://git.kernel.org/stable/c/a3ac79f38d354b10925824899cdbd2caadce55ba
https://git.kernel.org/stable/c/7c687a893f5cae5ca40d189635602e93af9bab73
https://git.kernel.org/stable/c/e846bde09677fa3b203057846620b7ed96540f5f
https://git.kernel.org/stable/c/613b065ca32e90209024ec4a6bb5ca887ee70980