Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49452

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
22/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dpaa2-eth: retrieve the virtual address before dma_unmap<br /> <br /> The TSO header was DMA unmapped before the virtual address was retrieved<br /> and then used to free the buffer. This meant that we were actually<br /> removing the DMA map and then trying to search for it to help in<br /> retrieving the virtual address. This lead to a invalid virtual address<br /> being used in the kfree call.<br /> <br /> Fix this by calling dpaa2_iova_to_virt() prior to the dma_unmap call.<br /> <br /> [ 487.231819] Unable to handle kernel paging request at virtual address fffffd9807000008<br /> <br /> (...)<br /> <br /> [ 487.354061] Hardware name: SolidRun LX2160A Honeycomb (DT)<br /> [ 487.359535] pstate: a0400005 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 487.366485] pc : kfree+0xac/0x304<br /> [ 487.369799] lr : kfree+0x204/0x304<br /> [ 487.373191] sp : ffff80000c4eb120<br /> [ 487.376493] x29: ffff80000c4eb120 x28: ffff662240c46400 x27: 0000000000000001<br /> [ 487.383621] x26: 0000000000000001 x25: ffff662246da0cc0 x24: ffff66224af78000<br /> [ 487.390748] x23: ffffad184f4ce008 x22: ffffad1850185000 x21: ffffad1838d13cec<br /> [ 487.397874] x20: ffff6601c0000000 x19: fffffd9807000000 x18: 0000000000000000<br /> [ 487.405000] x17: ffffb910cdc49000 x16: ffffad184d7d9080 x15: 0000000000004000<br /> [ 487.412126] x14: 0000000000000008 x13: 000000000000ffff x12: 0000000000000000<br /> [ 487.419252] x11: 0000000000000004 x10: 0000000000000001 x9 : ffffad184d7d927c<br /> [ 487.426379] x8 : 0000000000000000 x7 : 0000000ffffffd1d x6 : ffff662240a94900<br /> [ 487.433505] x5 : 0000000000000003 x4 : 0000000000000009 x3 : ffffad184f4ce008<br /> [ 487.440632] x2 : ffff662243eec000 x1 : 0000000100000100 x0 : fffffc0000000000<br /> [ 487.447758] Call trace:<br /> [ 487.450194] kfree+0xac/0x304<br /> [ 487.453151] dpaa2_eth_free_tx_fd.isra.0+0x33c/0x3e0 [fsl_dpaa2_eth]<br /> [ 487.459507] dpaa2_eth_tx_conf+0x100/0x2e0 [fsl_dpaa2_eth]<br /> [ 487.464989] dpaa2_eth_poll+0xdc/0x380 [fsl_dpaa2_eth]

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.18 (including) 5.18.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools