CVE-2022-48980 (GCVE-0-2022-48980)

Vulnerability from cvelistv5 – Published: 2024-10-21 20:05 – Updated: 2026-05-11 18:50
VLAI
Title
net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
Summary
In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() The SJA1105 family has 45 L2 policing table entries (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but accounting for the difference in port count (5 in SJA1105 vs 10 in SJA1110) does not fully explain the difference. Rather, the SJA1110 also has L2 ingress policers for multicast traffic. If a packet is classified as multicast, it will be processed by the policer index 99 + SRCPORT. The sja1105_init_l2_policing() function initializes all L2 policers such that they don't interfere with normal packet reception by default. To have a common code between SJA1105 and SJA1110, the index of the multicast policer for the port is calculated because it's an index that is out of bounds for SJA1105 but in bounds for SJA1110, and a bounds check is performed. The code fails to do the proper thing when determining what to do with the multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast" index will be equal to 45, which is also equal to table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes through the check. But at the same time, SJA1105 doesn't have multicast policers. So the code programs the SHARINDX field of an out-of-bounds element in the L2 Policing table of the static config. The comparison between index 45 and 45 entries should have determined the code to not access this policer index on SJA1105, since its memory wasn't even allocated. With enough bad luck, the out-of-bounds write could even overwrite other valid kernel data, but in this case, the issue was detected using KASAN. Kernel log: sja1105 spi5.0: Probed switch chip: SJA1105Q ================================================================== BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340 Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8 ... Workqueue: events_unbound deferred_probe_work_func Call trace: ... sja1105_setup+0x1cbc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ... Allocated by task 8: ... sja1105_setup+0x1bcc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ...
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 38fbe91f2287c696f290d9115901aa435f7166a8 , < 5e88c6f4aaa70c542e59e5a9d2244bcc99cd245d (git)
Affected: 38fbe91f2287c696f290d9115901aa435f7166a8 , < 147f3e3d84054117ae6b9bf317ec4fda9f991192 (git)
Affected: 38fbe91f2287c696f290d9115901aa435f7166a8 , < f8bac7f9fdb0017b32157957ffffd490f95faa07 (git)
Create a notification for this product.
Linux Linux Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.83 , ≤ 5.15.* (semver)
Unaffected: 6.0.13 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48980",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:17:58.670522Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:18:43.887Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/dsa/sja1105/sja1105_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5e88c6f4aaa70c542e59e5a9d2244bcc99cd245d",
              "status": "affected",
              "version": "38fbe91f2287c696f290d9115901aa435f7166a8",
              "versionType": "git"
            },
            {
              "lessThan": "147f3e3d84054117ae6b9bf317ec4fda9f991192",
              "status": "affected",
              "version": "38fbe91f2287c696f290d9115901aa435f7166a8",
              "versionType": "git"
            },
            {
              "lessThan": "f8bac7f9fdb0017b32157957ffffd490f95faa07",
              "status": "affected",
              "version": "38fbe91f2287c696f290d9115901aa435f7166a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/dsa/sja1105/sja1105_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.83",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.13",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()\n\nThe SJA1105 family has 45 L2 policing table entries\n(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110\n(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but\naccounting for the difference in port count (5 in SJA1105 vs 10 in\nSJA1110) does not fully explain the difference. Rather, the SJA1110 also\nhas L2 ingress policers for multicast traffic. If a packet is classified\nas multicast, it will be processed by the policer index 99 + SRCPORT.\n\nThe sja1105_init_l2_policing() function initializes all L2 policers such\nthat they don\u0027t interfere with normal packet reception by default. To have\na common code between SJA1105 and SJA1110, the index of the multicast\npolicer for the port is calculated because it\u0027s an index that is out of\nbounds for SJA1105 but in bounds for SJA1110, and a bounds check is\nperformed.\n\nThe code fails to do the proper thing when determining what to do with the\nmulticast policer of port 0 on SJA1105 (ds-\u003enum_ports = 5). The \"mcast\"\nindex will be equal to 45, which is also equal to\ntable-\u003eops-\u003emax_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes\nthrough the check. But at the same time, SJA1105 doesn\u0027t have multicast\npolicers. So the code programs the SHARINDX field of an out-of-bounds\nelement in the L2 Policing table of the static config.\n\nThe comparison between index 45 and 45 entries should have determined the\ncode to not access this policer index on SJA1105, since its memory wasn\u0027t\neven allocated.\n\nWith enough bad luck, the out-of-bounds write could even overwrite other\nvalid kernel data, but in this case, the issue was detected using KASAN.\n\nKernel log:\n\nsja1105 spi5.0: Probed switch chip: SJA1105Q\n==================================================================\nBUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340\nWrite of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8\n...\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n...\nsja1105_setup+0x1cbc/0x2340\ndsa_register_switch+0x1284/0x18d0\nsja1105_probe+0x748/0x840\n...\nAllocated by task 8:\n...\nsja1105_setup+0x1bcc/0x2340\ndsa_register_switch+0x1284/0x18d0\nsja1105_probe+0x748/0x840\n..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T18:50:52.593Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5e88c6f4aaa70c542e59e5a9d2244bcc99cd245d"
        },
        {
          "url": "https://git.kernel.org/stable/c/147f3e3d84054117ae6b9bf317ec4fda9f991192"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8bac7f9fdb0017b32157957ffffd490f95faa07"
        }
      ],
      "title": "net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48980",
    "datePublished": "2024-10-21T20:05:58.373Z",
    "dateReserved": "2024-08-22T01:27:53.632Z",
    "dateUpdated": "2026-05-11T18:50:52.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-48980",
      "date": "2026-06-17",
      "epss": "0.00245",
      "percentile": "0.1548"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.14\", \"versionEndExcluding\": \"5.15.83\", \"matchCriteriaId\": \"0CB0CF0B-86CE-444B-829F-234C83EB7764\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.16\", \"versionEndExcluding\": \"6.0.13\", \"matchCriteriaId\": \"389392A7-81C4-4C26-884B-8C7CF0F53DA4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"E7E331DA-1FB0-4DEC-91AC-7DA69D461C11\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"17F0B248-42CF-4AE6-A469-BB1BAE7F4705\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"E2422816-0C14-4B5E-A1E6-A9D776E5C49B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*\", \"matchCriteriaId\": \"35B26BE4-43A6-4A36-A7F6-5B3F572D9186\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*\", \"matchCriteriaId\": \"3FFFB0B3-930D-408A-91E2-BAE0C2715D80\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*\", \"matchCriteriaId\": \"8535320E-A0DB-4277-800E-D0CE5BBA59E8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc8:*:*:*:*:*:*\", \"matchCriteriaId\": \"21718AA4-4056-40F2-968E-BDAA465A7872\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()\\n\\nThe SJA1105 family has 45 L2 policing table entries\\n(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110\\n(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but\\naccounting for the difference in port count (5 in SJA1105 vs 10 in\\nSJA1110) does not fully explain the difference. Rather, the SJA1110 also\\nhas L2 ingress policers for multicast traffic. If a packet is classified\\nas multicast, it will be processed by the policer index 99 + SRCPORT.\\n\\nThe sja1105_init_l2_policing() function initializes all L2 policers such\\nthat they don\u0027t interfere with normal packet reception by default. To have\\na common code between SJA1105 and SJA1110, the index of the multicast\\npolicer for the port is calculated because it\u0027s an index that is out of\\nbounds for SJA1105 but in bounds for SJA1110, and a bounds check is\\nperformed.\\n\\nThe code fails to do the proper thing when determining what to do with the\\nmulticast policer of port 0 on SJA1105 (ds-\u003enum_ports = 5). The \\\"mcast\\\"\\nindex will be equal to 45, which is also equal to\\ntable-\u003eops-\u003emax_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes\\nthrough the check. But at the same time, SJA1105 doesn\u0027t have multicast\\npolicers. So the code programs the SHARINDX field of an out-of-bounds\\nelement in the L2 Policing table of the static config.\\n\\nThe comparison between index 45 and 45 entries should have determined the\\ncode to not access this policer index on SJA1105, since its memory wasn\u0027t\\neven allocated.\\n\\nWith enough bad luck, the out-of-bounds write could even overwrite other\\nvalid kernel data, but in this case, the issue was detected using KASAN.\\n\\nKernel log:\\n\\nsja1105 spi5.0: Probed switch chip: SJA1105Q\\n==================================================================\\nBUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340\\nWrite of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8\\n...\\nWorkqueue: events_unbound deferred_probe_work_func\\nCall trace:\\n...\\nsja1105_setup+0x1cbc/0x2340\\ndsa_register_switch+0x1284/0x18d0\\nsja1105_probe+0x748/0x840\\n...\\nAllocated by task 8:\\n...\\nsja1105_setup+0x1bcc/0x2340\\ndsa_register_switch+0x1284/0x18d0\\nsja1105_probe+0x748/0x840\\n...\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dsa: sja1105: evitar acceso fuera de los l\\u00edmites en sja1105_init_l2_policing() La familia SJA1105 tiene 45 entradas de tabla de control de L2 (SJA1105_MAX_L2_POLICING_COUNT) y SJA1110 tiene 110 (SJA1110_MAX_L2_POLICING_COUNT). Mantener la estructura de la tabla pero tener en cuenta la diferencia en el recuento de puertos (5 en SJA1105 frente a 10 en SJA1110) no explica completamente la diferencia. En cambio, SJA1110 tambi\\u00e9n tiene controladores de ingreso de L2 para tr\\u00e1fico de multidifusi\\u00f3n. Si un paquete se clasifica como de multidifusi\\u00f3n, ser\\u00e1 procesado por el \\u00edndice de controlador 99 + SRCPORT. La funci\\u00f3n sja1105_init_l2_policing() inicializa todos los controladores de L2 de modo que no interfieran con la recepci\\u00f3n normal de paquetes de forma predeterminada. Para tener un c\\u00f3digo com\\u00fan entre SJA1105 y SJA1110, se calcula el \\u00edndice del controlador de multidifusi\\u00f3n para el puerto porque es un \\u00edndice que est\\u00e1 fuera de los l\\u00edmites para SJA1105 pero dentro de los l\\u00edmites para SJA1110, y se realiza una comprobaci\\u00f3n de los l\\u00edmites. El c\\u00f3digo no hace lo correcto al determinar qu\\u00e9 hacer con el controlador de multidifusi\\u00f3n del puerto 0 en SJA1105 (ds-\u0026gt;num_ports = 5). El \\u00edndice \\\"mcast\\\" ser\\u00e1 igual a 45, que tambi\\u00e9n es igual a table-\u0026gt;ops-\u0026gt;max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). Por lo tanto, pasa por la comprobaci\\u00f3n. Pero al mismo tiempo, SJA1105 no tiene controladores de multidifusi\\u00f3n. Por lo tanto, el c\\u00f3digo programa el campo SHARINDX de un elemento fuera de los l\\u00edmites en la tabla de control L2 de la configuraci\\u00f3n est\\u00e1tica. La comparaci\\u00f3n entre las entradas del \\u00edndice 45 y 45 deber\\u00eda haber determinado que el c\\u00f3digo no accediera a este \\u00edndice de control en SJA1105, ya que su memoria ni siquiera estaba asignada. Con suficiente mala suerte, la escritura fuera de los l\\u00edmites podr\\u00eda incluso sobrescribir otros datos v\\u00e1lidos del kernel, pero en este caso, el problema se detect\\u00f3 mediante KASAN. Registro del n\\u00facleo: sja1105 spi5.0: Chip conmutador sondeado: SJA1105Q ===================================================================== ERROR: KASAN: slab fuera de los l\\u00edmites en sja1105_setup+0x1cbc/0x2340 Escritura de tama\\u00f1o 8 en la direcci\\u00f3n ffffff880bd57708 por la tarea kworker/u8:0/8 ... Cola de trabajo: events_unbound deferred_probe_work_func Rastreo de llamadas: ... sja1105_setup+0x1cbc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ... Asignado por la tarea 8: ... sja1105_setup+0x1bcc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ...\"}]",
      "id": "CVE-2022-48980",
      "lastModified": "2024-10-25T18:36:00.703",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
      "published": "2024-10-21T20:15:10.037",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/147f3e3d84054117ae6b9bf317ec4fda9f991192\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/5e88c6f4aaa70c542e59e5a9d2244bcc99cd245d\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/f8bac7f9fdb0017b32157957ffffd490f95faa07\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-787\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-48980\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-10-21T20:15:10.037\",\"lastModified\":\"2024-10-25T18:36:00.703\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()\\n\\nThe SJA1105 family has 45 L2 policing table entries\\n(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110\\n(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but\\naccounting for the difference in port count (5 in SJA1105 vs 10 in\\nSJA1110) does not fully explain the difference. Rather, the SJA1110 also\\nhas L2 ingress policers for multicast traffic. If a packet is classified\\nas multicast, it will be processed by the policer index 99 + SRCPORT.\\n\\nThe sja1105_init_l2_policing() function initializes all L2 policers such\\nthat they don\u0027t interfere with normal packet reception by default. To have\\na common code between SJA1105 and SJA1110, the index of the multicast\\npolicer for the port is calculated because it\u0027s an index that is out of\\nbounds for SJA1105 but in bounds for SJA1110, and a bounds check is\\nperformed.\\n\\nThe code fails to do the proper thing when determining what to do with the\\nmulticast policer of port 0 on SJA1105 (ds-\u003enum_ports = 5). The \\\"mcast\\\"\\nindex will be equal to 45, which is also equal to\\ntable-\u003eops-\u003emax_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes\\nthrough the check. But at the same time, SJA1105 doesn\u0027t have multicast\\npolicers. So the code programs the SHARINDX field of an out-of-bounds\\nelement in the L2 Policing table of the static config.\\n\\nThe comparison between index 45 and 45 entries should have determined the\\ncode to not access this policer index on SJA1105, since its memory wasn\u0027t\\neven allocated.\\n\\nWith enough bad luck, the out-of-bounds write could even overwrite other\\nvalid kernel data, but in this case, the issue was detected using KASAN.\\n\\nKernel log:\\n\\nsja1105 spi5.0: Probed switch chip: SJA1105Q\\n==================================================================\\nBUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340\\nWrite of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8\\n...\\nWorkqueue: events_unbound deferred_probe_work_func\\nCall trace:\\n...\\nsja1105_setup+0x1cbc/0x2340\\ndsa_register_switch+0x1284/0x18d0\\nsja1105_probe+0x748/0x840\\n...\\nAllocated by task 8:\\n...\\nsja1105_setup+0x1bcc/0x2340\\ndsa_register_switch+0x1284/0x18d0\\nsja1105_probe+0x748/0x840\\n...\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dsa: sja1105: evitar acceso fuera de los l\u00edmites en sja1105_init_l2_policing() La familia SJA1105 tiene 45 entradas de tabla de control de L2 (SJA1105_MAX_L2_POLICING_COUNT) y SJA1110 tiene 110 (SJA1110_MAX_L2_POLICING_COUNT). Mantener la estructura de la tabla pero tener en cuenta la diferencia en el recuento de puertos (5 en SJA1105 frente a 10 en SJA1110) no explica completamente la diferencia. En cambio, SJA1110 tambi\u00e9n tiene controladores de ingreso de L2 para tr\u00e1fico de multidifusi\u00f3n. Si un paquete se clasifica como de multidifusi\u00f3n, ser\u00e1 procesado por el \u00edndice de controlador 99 + SRCPORT. La funci\u00f3n sja1105_init_l2_policing() inicializa todos los controladores de L2 de modo que no interfieran con la recepci\u00f3n normal de paquetes de forma predeterminada. Para tener un c\u00f3digo com\u00fan entre SJA1105 y SJA1110, se calcula el \u00edndice del controlador de multidifusi\u00f3n para el puerto porque es un \u00edndice que est\u00e1 fuera de los l\u00edmites para SJA1105 pero dentro de los l\u00edmites para SJA1110, y se realiza una comprobaci\u00f3n de los l\u00edmites. El c\u00f3digo no hace lo correcto al determinar qu\u00e9 hacer con el controlador de multidifusi\u00f3n del puerto 0 en SJA1105 (ds-\u0026gt;num_ports = 5). El \u00edndice \\\"mcast\\\" ser\u00e1 igual a 45, que tambi\u00e9n es igual a table-\u0026gt;ops-\u0026gt;max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). Por lo tanto, pasa por la comprobaci\u00f3n. Pero al mismo tiempo, SJA1105 no tiene controladores de multidifusi\u00f3n. Por lo tanto, el c\u00f3digo programa el campo SHARINDX de un elemento fuera de los l\u00edmites en la tabla de control L2 de la configuraci\u00f3n est\u00e1tica. La comparaci\u00f3n entre las entradas del \u00edndice 45 y 45 deber\u00eda haber determinado que el c\u00f3digo no accediera a este \u00edndice de control en SJA1105, ya que su memoria ni siquiera estaba asignada. Con suficiente mala suerte, la escritura fuera de los l\u00edmites podr\u00eda incluso sobrescribir otros datos v\u00e1lidos del kernel, pero en este caso, el problema se detect\u00f3 mediante KASAN. Registro del n\u00facleo: sja1105 spi5.0: Chip conmutador sondeado: SJA1105Q ===================================================================== ERROR: KASAN: slab fuera de los l\u00edmites en sja1105_setup+0x1cbc/0x2340 Escritura de tama\u00f1o 8 en la direcci\u00f3n ffffff880bd57708 por la tarea kworker/u8:0/8 ... Cola de trabajo: events_unbound deferred_probe_work_func Rastreo de llamadas: ... sja1105_setup+0x1cbc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ... Asignado por la tarea 8: ... sja1105_setup+0x1bcc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ...\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.14\",\"versionEndExcluding\":\"5.15.83\",\"matchCriteriaId\":\"0CB0CF0B-86CE-444B-829F-234C83EB7764\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.0.13\",\"matchCriteriaId\":\"389392A7-81C4-4C26-884B-8C7CF0F53DA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7E331DA-1FB0-4DEC-91AC-7DA69D461C11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"17F0B248-42CF-4AE6-A469-BB1BAE7F4705\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E2422816-0C14-4B5E-A1E6-A9D776E5C49B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"35B26BE4-43A6-4A36-A7F6-5B3F572D9186\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"3FFFB0B3-930D-408A-91E2-BAE0C2715D80\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"8535320E-A0DB-4277-800E-D0CE5BBA59E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc8:*:*:*:*:*:*\",\"matchCriteriaId\":\"21718AA4-4056-40F2-968E-BDAA465A7872\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/147f3e3d84054117ae6b9bf317ec4fda9f991192\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5e88c6f4aaa70c542e59e5a9d2244bcc99cd245d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f8bac7f9fdb0017b32157957ffffd490f95faa07\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-48980\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-22T13:17:58.670522Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-22T13:18:01.946Z\"}}], \"cna\": {\"title\": \"net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"38fbe91f2287c696f290d9115901aa435f7166a8\", \"lessThan\": \"5e88c6f4aaa70c542e59e5a9d2244bcc99cd245d\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"38fbe91f2287c696f290d9115901aa435f7166a8\", \"lessThan\": \"147f3e3d84054117ae6b9bf317ec4fda9f991192\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"38fbe91f2287c696f290d9115901aa435f7166a8\", \"lessThan\": \"f8bac7f9fdb0017b32157957ffffd490f95faa07\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/dsa/sja1105/sja1105_main.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.14\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.14\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.83\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.0.13\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.0.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/dsa/sja1105/sja1105_main.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/5e88c6f4aaa70c542e59e5a9d2244bcc99cd245d\"}, {\"url\": \"https://git.kernel.org/stable/c/147f3e3d84054117ae6b9bf317ec4fda9f991192\"}, {\"url\": \"https://git.kernel.org/stable/c/f8bac7f9fdb0017b32157957ffffd490f95faa07\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()\\n\\nThe SJA1105 family has 45 L2 policing table entries\\n(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110\\n(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but\\naccounting for the difference in port count (5 in SJA1105 vs 10 in\\nSJA1110) does not fully explain the difference. Rather, the SJA1110 also\\nhas L2 ingress policers for multicast traffic. If a packet is classified\\nas multicast, it will be processed by the policer index 99 + SRCPORT.\\n\\nThe sja1105_init_l2_policing() function initializes all L2 policers such\\nthat they don\u0027t interfere with normal packet reception by default. To have\\na common code between SJA1105 and SJA1110, the index of the multicast\\npolicer for the port is calculated because it\u0027s an index that is out of\\nbounds for SJA1105 but in bounds for SJA1110, and a bounds check is\\nperformed.\\n\\nThe code fails to do the proper thing when determining what to do with the\\nmulticast policer of port 0 on SJA1105 (ds-\u003enum_ports = 5). The \\\"mcast\\\"\\nindex will be equal to 45, which is also equal to\\ntable-\u003eops-\u003emax_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes\\nthrough the check. But at the same time, SJA1105 doesn\u0027t have multicast\\npolicers. So the code programs the SHARINDX field of an out-of-bounds\\nelement in the L2 Policing table of the static config.\\n\\nThe comparison between index 45 and 45 entries should have determined the\\ncode to not access this policer index on SJA1105, since its memory wasn\u0027t\\neven allocated.\\n\\nWith enough bad luck, the out-of-bounds write could even overwrite other\\nvalid kernel data, but in this case, the issue was detected using KASAN.\\n\\nKernel log:\\n\\nsja1105 spi5.0: Probed switch chip: SJA1105Q\\n==================================================================\\nBUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340\\nWrite of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8\\n...\\nWorkqueue: events_unbound deferred_probe_work_func\\nCall trace:\\n...\\nsja1105_setup+0x1cbc/0x2340\\ndsa_register_switch+0x1284/0x18d0\\nsja1105_probe+0x748/0x840\\n...\\nAllocated by task 8:\\n...\\nsja1105_setup+0x1bcc/0x2340\\ndsa_register_switch+0x1284/0x18d0\\nsja1105_probe+0x748/0x840\\n...\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.83\", \"versionStartIncluding\": \"5.14\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.0.13\", \"versionStartIncluding\": \"5.14\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1\", \"versionStartIncluding\": \"5.14\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T18:50:52.593Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-48980\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T18:50:52.593Z\", \"dateReserved\": \"2024-08-22T01:27:53.632Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-10-21T20:05:58.373Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.