{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49073","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.245Z","datePublished":"2025-02-26T01:54:37.804Z","dateUpdated":"2025-05-04T08:29:08.797Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:29:08.797Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nata: sata_dwc_460ex: Fix crash due to OOB write\n\nthe driver uses libata's \"tag\" values from in various arrays.\nSince the mentioned patch bumped the ATA_TAG_INTERNAL to 32,\nthe value of the SATA_DWC_QCMD_MAX needs to account for that.\n\nOtherwise ATA_TAG_INTERNAL usage cause similar crashes like\nthis as reported by Tice Rex on the OpenWrt Forum and\nreproduced (with symbols) here:\n\n| BUG: Kernel NULL pointer dereference at 0x00000000\n| Faulting instruction address: 0xc03ed4b8\n| Oops: Kernel access of bad area, sig: 11 [#1]\n| BE PAGE_SIZE=4K PowerPC 44x Platform\n| CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0\n| NIP:  c03ed4b8 LR: c03d27e8 CTR: c03ed36c\n| REGS: cfa59950 TRAP: 0300   Not tainted  (5.4.163)\n| MSR:  00021000 <CE,ME>  CR: 42000222  XER: 00000000\n| DEAR: 00000000 ESR: 00000000\n| GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...]\n| [..]\n| NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254\n| LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc\n| Call Trace:\n| [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable)\n| [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc\n| [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524\n| [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0\n| [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204\n| [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130\n| [...]\n\nThis is because sata_dwc_dma_xfer_complete() NULLs the\ndma_pending's next neighbour \"chan\" (a *dma_chan struct) in\nthis '32' case right here (line ~735):\n> hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE;\n\nThen the next time, a dma gets issued; dma_dwc_xfer_setup() passes\nthe NULL'd hsdevp->chan to the dmaengine_slave_config() which then\ncauses the crash.\n\nWith this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1.\nThis avoids the OOB. But please note, there was a worthwhile discussion\non what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not\nbe a \"fake\" 33 command-long queue size.\n\nIdeally, the dw driver should account for the ATA_TAG_INTERNAL.\nIn Damien Le Moal's words: \"... having looked at the driver, it\nis a bigger change than just faking a 33rd \"tag\" that is in fact\nnot a command tag at all.\"\n\nBugLink: https://github.com/openwrt/openwrt/issues/9505"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/ata/sata_dwc_460ex.c"],"versions":[{"version":"28361c403683c2b00d4f5e76045f3ccd299bf99d","lessThan":"596c7efd69aae94f4b0e91172b075eb197958b99","status":"affected","versionType":"git"},{"version":"28361c403683c2b00d4f5e76045f3ccd299bf99d","lessThan":"55e1465ba79562a191708a40eeae3f8082a209e3","status":"affected","versionType":"git"},{"version":"28361c403683c2b00d4f5e76045f3ccd299bf99d","lessThan":"fc629224aa62f23849cae83717932985ac51232d","status":"affected","versionType":"git"},{"version":"28361c403683c2b00d4f5e76045f3ccd299bf99d","lessThan":"8a05a6952ecd59aaa62cbdcdaf523ae2c8f436e8","status":"affected","versionType":"git"},{"version":"28361c403683c2b00d4f5e76045f3ccd299bf99d","lessThan":"234c0132f76f0676d175757f61b0025191a3d935","status":"affected","versionType":"git"},{"version":"28361c403683c2b00d4f5e76045f3ccd299bf99d","lessThan":"3a8751c0d4e24129e72dcec0139e99833b13904a","status":"affected","versionType":"git"},{"version":"28361c403683c2b00d4f5e76045f3ccd299bf99d","lessThan":"7aa8104a554713b685db729e66511b93d989dd6a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/ata/sata_dwc_460ex.c"],"versions":[{"version":"4.18","status":"affected"},{"version":"0","lessThan":"4.18","status":"unaffected","versionType":"semver"},{"version":"4.19.238","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.189","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.111","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.34","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.20","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.3","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"4.19.238"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.4.189"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.10.111"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.15.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.16.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/596c7efd69aae94f4b0e91172b075eb197958b99"},{"url":"https://git.kernel.org/stable/c/55e1465ba79562a191708a40eeae3f8082a209e3"},{"url":"https://git.kernel.org/stable/c/fc629224aa62f23849cae83717932985ac51232d"},{"url":"https://git.kernel.org/stable/c/8a05a6952ecd59aaa62cbdcdaf523ae2c8f436e8"},{"url":"https://git.kernel.org/stable/c/234c0132f76f0676d175757f61b0025191a3d935"},{"url":"https://git.kernel.org/stable/c/3a8751c0d4e24129e72dcec0139e99833b13904a"},{"url":"https://git.kernel.org/stable/c/7aa8104a554713b685db729e66511b93d989dd6a"}],"title":"ata: sata_dwc_460ex: Fix crash due to OOB write","x_generator":{"engine":"bippy-1.2.0"}}}}