CVE-2022-49073
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ata: sata_dwc_460ex: Fix crash due to OOB write the driver uses libata's "tag" values from in various arrays. Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32, the value of the SATA_DWC_QCMD_MAX needs to account for that. Otherwise ATA_TAG_INTERNAL usage cause similar crashes like this as reported by Tice Rex on the OpenWrt Forum and reproduced (with symbols) here: | BUG: Kernel NULL pointer dereference at 0x00000000 | Faulting instruction address: 0xc03ed4b8 | Oops: Kernel access of bad area, sig: 11 [#1] | BE PAGE_SIZE=4K PowerPC 44x Platform | CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0 | NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c | REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163) | MSR: 00021000 <CE,ME> CR: 42000222 XER: 00000000 | DEAR: 00000000 ESR: 00000000 | GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...] | [..] | NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254 | LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc | Call Trace: | [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable) | [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc | [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524 | [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0 | [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204 | [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130 | [...] This is because sata_dwc_dma_xfer_complete() NULLs the dma_pending's next neighbour "chan" (a *dma_chan struct) in this '32' case right here (line ~735): > hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE; Then the next time, a dma gets issued; dma_dwc_xfer_setup() passes the NULL'd hsdevp->chan to the dmaengine_slave_config() which then causes the crash. With this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1. This avoids the OOB. But please note, there was a worthwhile discussion on what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not be a "fake" 33 command-long queue size. Ideally, the dw driver should account for the ATA_TAG_INTERNAL. In Damien Le Moal's words: "... having looked at the driver, it is a bigger change than just faking a 33rd "tag" that is in fact not a command tag at all." BugLink: https://github.com/openwrt/openwrt/issues/9505
Security Summary
CVE-2022-49073 is an out-of-bounds write vulnerability in the Linux kernel's sata_dwc_460ex driver, part of the ATA subsystem. The issue arises because the driver uses libata's tag values in arrays without accounting for a patch that increased ATA_TAG_INTERNAL to 32, causing the SATA_DWC_QCMD_MAX value to be insufficient. This leads to out-of-bounds access, such as overwriting a dma_chan pointer with NULL in sata_dwc_dma_xfer_complete(), followed by a kernel NULL pointer dereference crash during subsequent DMA operations like dmaengine_slave_config().
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction, as indicated by the CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation triggers a kernel oops or panic, such as the reported NULL pointer dereference in sata_dwc_qc_issue() on PowerPC 44x platforms running kernel 5.4.163, resulting in denial of service. The high impacts on confidentiality, integrity, and availability suggest potential for broader kernel memory corruption.
Kernel stable patches resolve the vulnerability by setting SATA_DWC_QCMD_MAX to ATA_MAX_QUEUE + 1, preventing the out-of-bounds write while noting that a more comprehensive fix for the driver to properly handle ATA_TAG_INTERNAL is preferable. Relevant commits include 234c0132f76f0676d175757f61b0025191a3d935, 3a8751c0d4e24129e72dcec0139e99833b13904a, 55e1465ba79562a191708a40eeae3f8082a209e3, 596c7efd69aae94f4b0e91172b075eb197958b99, and 7aa8104a554713b685db729e66511b93d989dd6a, available via git.kernel.org/stable.
The vulnerability was reported by Tice Rex on the OpenWrt Forum and documented in https://github.com/openwrt/openwrt/issues/9505, with reproduction on affected PowerPC systems. It aligns with CWE-787 (Out-of-Bounds Write) and was published on 2025-02-26.
Details
- CWE(s)