CVE-2022-49073

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: sata_dwc_460ex: Fix crash due to OOB write<br /> <br /> the driver uses libata&amp;#39;s "tag" values from in various arrays.<br /> Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32,<br /> the value of the SATA_DWC_QCMD_MAX needs to account for that.<br /> <br /> Otherwise ATA_TAG_INTERNAL usage cause similar crashes like<br /> this as reported by Tice Rex on the OpenWrt Forum and<br /> reproduced (with symbols) here:<br /> <br /> | BUG: Kernel NULL pointer dereference at 0x00000000<br /> | Faulting instruction address: 0xc03ed4b8<br /> | Oops: Kernel access of bad area, sig: 11 [#1]<br /> | BE PAGE_SIZE=4K PowerPC 44x Platform<br /> | CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0<br /> | NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c<br /> | REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163)<br /> | MSR: 00021000 CR: 42000222 XER: 00000000<br /> | DEAR: 00000000 ESR: 00000000<br /> | GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...]<br /> | [..]<br /> | NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254<br /> | LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc<br /> | Call Trace:<br /> | [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable)<br /> | [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc<br /> | [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524<br /> | [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0<br /> | [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204<br /> | [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130<br /> | [...]<br /> <br /> This is because sata_dwc_dma_xfer_complete() NULLs the<br /> dma_pending&amp;#39;s next neighbour "chan" (a *dma_chan struct) in<br /> this &amp;#39;32&amp;#39; case right here (line ~735):<br /> &gt; hsdevp-&gt;dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE;<br /> <br /> Then the next time, a dma gets issued; dma_dwc_xfer_setup() passes<br /> the NULL&amp;#39;d hsdevp-&gt;chan to the dmaengine_slave_config() which then<br /> causes the crash.<br /> <br /> With this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1.<br /> This avoids the OOB. But please note, there was a worthwhile discussion<br /> on what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not<br /> be a "fake" 33 command-long queue size.<br /> <br /> Ideally, the dw driver should account for the ATA_TAG_INTERNAL.<br /> In Damien Le Moal&amp;#39;s words: "... having looked at the driver, it<br /> is a bigger change than just faking a 33rd "tag" that is in fact<br /> not a command tag at all."<br /> <br /> BugLink: https://github.com/openwrt/openwrt/issues/9505