fkie_cve-2022-49592
Vulnerability from fkie_nvd
Published
2025-02-26 07:01
Modified
2025-10-22 19:11
Summary
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix dma queue left shift overflow issue When queue number is > 4, left shift overflows due to 32 bits integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1. If CONFIG_UBSAN is enabled, kernel dumps below warning: [ 10.363842] ================================================================== [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 [ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 [ 10.363958] Call Trace: [ 10.363960] <TASK> [ 10.363963] dump_stack_lvl+0x4a/0x5f [ 10.363971] dump_stack+0x10/0x12 [ 10.363974] ubsan_epilogue+0x9/0x45 [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e [ 10.363979] ? wake_up_klogd+0x4a/0x50 [ 10.363983] ? vprintk_emit+0x8f/0x240 [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] [ 10.364050] __dev_open+0xf0/0x1a0 [ 10.364054] __dev_change_flags+0x188/0x1f0 [ 10.364057] dev_change_flags+0x26/0x60 [ 10.364059] do_setlink+0x908/0xc40 [ 10.364062] ? do_setlink+0xb10/0xc40 [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 [ 10.364068] __rtnl_newlink+0x597/0xa10 [ 10.364072] ? __nla_reserve+0x41/0x50 [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 [ 10.364079] ? pskb_expand_head+0x75/0x310 [ 10.364082] ? nla_reserve_64bit+0x21/0x40 [ 10.364086] ? skb_free_head+0x65/0x80 [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 [ 10.364094] ? __cond_resched+0x19/0x30 [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 [ 10.364100] rtnl_newlink+0x49/0x70 This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue mapping warning. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195



{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "83D031BF-986E-4103-B5D7-AD32141428B7",
              "versionEndExcluding": "4.14.290",
              "versionStartIncluding": "4.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "56D38C39-4EB7-48A7-85D3-D4854AC7B3E8",
              "versionEndExcluding": "4.19.254",
              "versionStartIncluding": "4.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "58A5EC97-5FF0-4B0A-8074-2A5A57644D59",
              "versionEndExcluding": "5.4.208",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B697B47-6B36-47E0-95DC-054EC4633DEA",
              "versionEndExcluding": "5.10.134",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "13CF20C8-4DA9-4A21-AD13-7A5C22E5FB05",
              "versionEndExcluding": "5.15.58",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAD6B571-194C-43A2-A4AB-F68F869D13BC",
              "versionEndExcluding": "5.18.15",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A8C30C2D-F82D-4D37-AB48-D76ABFBD5377",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "BF8547FC-C849-4F1B-804B-A93AE2F04A92",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F3068028-F453-4A1C-B80F-3F5609ACEF60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "2E9C0DB0-D349-489F-A3D6-B77214E93A8A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "1A0DE3B7-0FFB-45AA-9BD6-19870CA7C6FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "00AE778B-BAEE-49EB-9F84-003B73D7862A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "C178431E-AD82-4B3D-B70F-A273A02ABD5D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix dma queue left shift overflow issue\n\nWhen queue number is \u003e 4, left shift overflows due to 32 bits\ninteger variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.\n\nIf CONFIG_UBSAN is enabled, kernel dumps below warning:\n[   10.363842] ==================================================================\n[   10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/\nlinux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12\n[   10.363929] shift exponent 40 is too large for 32-bit type \u0027unsigned int\u0027\n[   10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg\n[   10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021\n[   10.363958] Call Trace:\n[   10.363960]  \u003cTASK\u003e\n[   10.363963]  dump_stack_lvl+0x4a/0x5f\n[   10.363971]  dump_stack+0x10/0x12\n[   10.363974]  ubsan_epilogue+0x9/0x45\n[   10.363976]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e\n[   10.363979]  ? wake_up_klogd+0x4a/0x50\n[   10.363983]  ? vprintk_emit+0x8f/0x240\n[   10.363986]  dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]\n[   10.364001]  stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]\n[   10.364009]  ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]\n[   10.364020]  stmmac_hw_setup.cold+0xf/0xb14 [stmmac]\n[   10.364030]  ? page_pool_alloc_pages+0x4d/0x70\n[   10.364034]  ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]\n[   10.364042]  stmmac_open+0x39e/0x920 [stmmac]\n[   10.364050]  __dev_open+0xf0/0x1a0\n[   10.364054]  __dev_change_flags+0x188/0x1f0\n[   10.364057]  dev_change_flags+0x26/0x60\n[   10.364059]  do_setlink+0x908/0xc40\n[   10.364062]  ? do_setlink+0xb10/0xc40\n[   10.364064]  ? __nla_validate_parse+0x4c/0x1a0\n[   10.364068]  __rtnl_newlink+0x597/0xa10\n[   10.364072]  ? __nla_reserve+0x41/0x50\n[   10.364074]  ? __kmalloc_node_track_caller+0x1d0/0x4d0\n[   10.364079]  ? pskb_expand_head+0x75/0x310\n[   10.364082]  ? nla_reserve_64bit+0x21/0x40\n[   10.364086]  ? skb_free_head+0x65/0x80\n[   10.364089]  ? security_sock_rcv_skb+0x2c/0x50\n[   10.364094]  ? __cond_resched+0x19/0x30\n[   10.364097]  ? kmem_cache_alloc_trace+0x15a/0x420\n[   10.364100]  rtnl_newlink+0x49/0x70\n\nThis change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue\nmapping warning.\n\nBugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: stmmac: soluciona el problema de desbordamiento de desplazamiento a la izquierda de la cola DMA. Cuando el n\u00famero de cola es \u0026gt; 4, el desplazamiento a la izquierda se desborda debido a una variable entera de 32 bits. El c\u00e1lculo de la m\u00e1scara es incorrecto para MTL_RXQ_DMA_MAP1. Si CONFIG_UBSAN est\u00e1 habilitado, el kernel muestra la siguiente advertencia: [ 10.363842] ================================================================== [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 [ 10.363929] shift exponent 40 is too large for 32-bit type \u0027unsigned int\u0027 [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 [ 10.363958] Call Trace: [ 10.363960]  [ 10.363963] dump_stack_lvl+0x4a/0x5f [ 10.363971] dump_stack+0x10/0x12 [ 10.363974] ubsan_epilogue+0x9/0x45 [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e [ 10.363979] ? wake_up_klogd+0x4a/0x50 [ 10.363983] ? vprintk_emit+0x8f/0x240 [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] [ 10.364050] __dev_open+0xf0/0x1a0 [ 10.364054] __dev_change_flags+0x188/0x1f0 [ 10.364057] dev_change_flags+0x26/0x60 [ 10.364059] do_setlink+0x908/0xc40 [ 10.364062] ? do_setlink+0xb10/0xc40 [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 [ 10.364068] __rtnl_newlink+0x597/0xa10 [ 10.364072] ? __nla_reserve+0x41/0x50 [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 [ 10.364079] ? pskb_expand_head+0x75/0x310 [ 10.364082] ? nla_reserve_64bit+0x21/0x40 [ 10.364086] ? skb_free_head+0x65/0x80 [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 [ 10.364094] ? __cond_resched+0x19/0x30 [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 [ 10.364100] rtnl_newlink+0x49/0x70 This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue mapping warning. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195 "
    }
  ],
  "id": "CVE-2022-49592",
  "lastModified": "2025-10-22T19:11:16.223",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-26T07:01:34.760",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/508d86ead36cbd8dfb60773a33276790d668c473"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/573768dede0e2b7de38ecbc11cb3ee47643902dc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/613b065ca32e90209024ec4a6bb5ca887ee70980"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7c687a893f5cae5ca40d189635602e93af9bab73"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a3ac79f38d354b10925824899cdbd2caadce55ba"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ad2febdfbd01e1d092a08bfdba92ede79ea05ff3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e846bde09677fa3b203057846620b7ed96540f5f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…