fkie_cve-2022-48795
Vulnerability from fkie_nvd
Published
2024-07-16 12:15
Modified
2024-11-21 07:34
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: parisc: Fix data TLB miss in sba_unmap_sg Rolf Eike Beer reported the following bug: [1274934.746891] Bad Address (null pointer deref?): Code=15 (Data TLB miss fault) at addr 0000004140000018 [1274934.746891] CPU: 3 PID: 5549 Comm: cmake Not tainted 5.15.4-gentoo-parisc64 #4 [1274934.746891] Hardware name: 9000/785/C8000 [1274934.746891] [1274934.746891] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI [1274934.746891] PSW: 00001000000001001111111000001110 Not tainted [1274934.746891] r00-03 000000ff0804fe0e 0000000040bc9bc0 00000000406760e4 0000004140000000 [1274934.746891] r04-07 0000000040b693c0 0000004140000000 000000004a2b08b0 0000000000000001 [1274934.746891] r08-11 0000000041f98810 0000000000000000 000000004a0a7000 0000000000000001 [1274934.746891] r12-15 0000000040bddbc0 0000000040c0cbc0 0000000040bddbc0 0000000040bddbc0 [1274934.746891] r16-19 0000000040bde3c0 0000000040bddbc0 0000000040bde3c0 0000000000000007 [1274934.746891] r20-23 0000000000000006 000000004a368950 0000000000000000 0000000000000001 [1274934.746891] r24-27 0000000000001fff 000000000800000e 000000004a1710f0 0000000040b693c0 [1274934.746891] r28-31 0000000000000001 0000000041f988b0 0000000041f98840 000000004a171118 [1274934.746891] sr00-03 00000000066e5800 0000000000000000 0000000000000000 00000000066e5800 [1274934.746891] sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [1274934.746891] [1274934.746891] IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000406760e8 00000000406760ec [1274934.746891] IIR: 48780030 ISR: 0000000000000000 IOR: 0000004140000018 [1274934.746891] CPU: 3 CR30: 00000040e3a9c000 CR31: ffffffffffffffff [1274934.746891] ORIG_R28: 0000000040acdd58 [1274934.746891] IAOQ[0]: sba_unmap_sg+0xb0/0x118 [1274934.746891] IAOQ[1]: sba_unmap_sg+0xb4/0x118 [1274934.746891] RP(r2): sba_unmap_sg+0xac/0x118 [1274934.746891] Backtrace: [1274934.746891] [<00000000402740cc>] dma_unmap_sg_attrs+0x6c/0x70 [1274934.746891] [<000000004074d6bc>] scsi_dma_unmap+0x54/0x60 [1274934.746891] [<00000000407a3488>] mptscsih_io_done+0x150/0xd70 [1274934.746891] [<0000000040798600>] mpt_interrupt+0x168/0xa68 [1274934.746891] [<0000000040255a48>] __handle_irq_event_percpu+0xc8/0x278 [1274934.746891] [<0000000040255c34>] handle_irq_event_percpu+0x3c/0xd8 [1274934.746891] [<000000004025ecb4>] handle_percpu_irq+0xb4/0xf0 [1274934.746891] [<00000000402548e0>] generic_handle_irq+0x50/0x70 [1274934.746891] [<000000004019a254>] call_on_stack+0x18/0x24 [1274934.746891] [1274934.746891] Kernel panic - not syncing: Bad Address (null pointer deref?) The bug is caused by overrunning the sglist and incorrectly testing sg_dma_len(sglist) before nents. Normally this doesn't cause a crash, but in this case sglist crossed a page boundary. This occurs in the following code: while (sg_dma_len(sglist) && nents--) { The fix is simply to test nents first and move the decrement of nents into the loop.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/867e50231c7605547d9334904d70a181f39f2d9e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8c8e949ae81e7f5ab58f9f9f8e9b573b93173dd2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b7d6f44a0fa716a82969725516dc0b16bc7cd514
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/de75676ee99bf9f25b1124ff301b3f7b8ba597d4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e40ae3133ed87d6d526f3c8fc6a5f9a2d72dcdbf
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/efccc9b0c7e28d0eb7918a236e59f60dc23db4c3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f23f0444ead4d941165aa82ce2fcbb997dc00e97
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f8f519d7df66c334b5e08f896ac70ee3b53add3b
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/867e50231c7605547d9334904d70a181f39f2d9e
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/8c8e949ae81e7f5ab58f9f9f8e9b573b93173dd2
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/b7d6f44a0fa716a82969725516dc0b16bc7cd514
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/de75676ee99bf9f25b1124ff301b3f7b8ba597d4
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/e40ae3133ed87d6d526f3c8fc6a5f9a2d72dcdbf
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/efccc9b0c7e28d0eb7918a236e59f60dc23db4c3
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f23f0444ead4d941165aa82ce2fcbb997dc00e97
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f8f519d7df66c334b5e08f896ac70ee3b53add3b
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix data TLB miss in sba_unmap_sg\n\nRolf Eike Beer reported the following bug:\n\n[1274934.746891] Bad Address (null pointer deref?): Code=15 (Data TLB miss fault) at addr 0000004140000018\n[1274934.746891] CPU: 3 PID: 5549 Comm: cmake Not tainted 5.15.4-gentoo-parisc64 #4\n[1274934.746891] Hardware name: 9000/785/C8000\n[1274934.746891]\n[1274934.746891]      YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI\n[1274934.746891] PSW: 00001000000001001111111000001110 Not tainted\n[1274934.746891] r00-03  000000ff0804fe0e 0000000040bc9bc0 00000000406760e4 0000004140000000\n[1274934.746891] r04-07  0000000040b693c0 0000004140000000 000000004a2b08b0 0000000000000001\n[1274934.746891] r08-11  0000000041f98810 0000000000000000 000000004a0a7000 0000000000000001\n[1274934.746891] r12-15  0000000040bddbc0 0000000040c0cbc0 0000000040bddbc0 0000000040bddbc0\n[1274934.746891] r16-19  0000000040bde3c0 0000000040bddbc0 0000000040bde3c0 0000000000000007\n[1274934.746891] r20-23  0000000000000006 000000004a368950 0000000000000000 0000000000000001\n[1274934.746891] r24-27  0000000000001fff 000000000800000e 000000004a1710f0 0000000040b693c0\n[1274934.746891] r28-31  0000000000000001 0000000041f988b0 0000000041f98840 000000004a171118\n[1274934.746891] sr00-03  00000000066e5800 0000000000000000 0000000000000000 00000000066e5800\n[1274934.746891] sr04-07  0000000000000000 0000000000000000 0000000000000000 0000000000000000\n[1274934.746891]\n[1274934.746891] IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000406760e8 00000000406760ec\n[1274934.746891]  IIR: 48780030    ISR: 0000000000000000  IOR: 0000004140000018\n[1274934.746891]  CPU:        3   CR30: 00000040e3a9c000 CR31: ffffffffffffffff\n[1274934.746891]  ORIG_R28: 0000000040acdd58\n[1274934.746891]  IAOQ[0]: sba_unmap_sg+0xb0/0x118\n[1274934.746891]  IAOQ[1]: sba_unmap_sg+0xb4/0x118\n[1274934.746891]  RP(r2): sba_unmap_sg+0xac/0x118\n[1274934.746891] Backtrace:\n[1274934.746891]  [\u003c00000000402740cc\u003e] dma_unmap_sg_attrs+0x6c/0x70\n[1274934.746891]  [\u003c000000004074d6bc\u003e] scsi_dma_unmap+0x54/0x60\n[1274934.746891]  [\u003c00000000407a3488\u003e] mptscsih_io_done+0x150/0xd70\n[1274934.746891]  [\u003c0000000040798600\u003e] mpt_interrupt+0x168/0xa68\n[1274934.746891]  [\u003c0000000040255a48\u003e] __handle_irq_event_percpu+0xc8/0x278\n[1274934.746891]  [\u003c0000000040255c34\u003e] handle_irq_event_percpu+0x3c/0xd8\n[1274934.746891]  [\u003c000000004025ecb4\u003e] handle_percpu_irq+0xb4/0xf0\n[1274934.746891]  [\u003c00000000402548e0\u003e] generic_handle_irq+0x50/0x70\n[1274934.746891]  [\u003c000000004019a254\u003e] call_on_stack+0x18/0x24\n[1274934.746891]\n[1274934.746891] Kernel panic - not syncing: Bad Address (null pointer deref?)\n\nThe bug is caused by overrunning the sglist and incorrectly testing\nsg_dma_len(sglist) before nents. Normally this doesn\u0027t cause a crash,\nbut in this case sglist crossed a page boundary. This occurs in the\nfollowing code:\n\n\twhile (sg_dma_len(sglist) \u0026\u0026 nents--) {\n\nThe fix is simply to test nents first and move the decrement of nents\ninto the loop."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: parisc: corregir la falta de TLB de datos en sba_unmap_sg Rolf Eike Beer inform\u00f3 el siguiente error: [1274934.746891] Direcci\u00f3n incorrecta (\u00bfpuntero nulo deref?): C\u00f3digo = 15 (falla de falta de TLB de datos) en direcci\u00f3n 0000004140000018 [1274934.746891] CPU: 3 PID: 5549 Comunicaciones: cmake No contaminado 5.15.4-gentoo-parisc64 #4 [1274934.746891] Nombre de hardware: 9000/785/C8000 [1274934.746891 ] [1274934.746891] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI [1274934.746891] PSW: 000010000000010011111111000001110 No contaminado [1274934.746891] r00-03 000000ff0804fe0e 0000000040bc9bc0 00000000406760e4 0000004140000000 [1274934.746891] r04-07 0b693c0 0000004140000000 000000004a2b08b0 0000000000000001 [1274934.746891] r08-11 0000000041f98810 0000000000000000 00000000 4a0a7000 0000000000000001 [1274934.746891] r12-15 0000000040bddbc0 0000000040c0cbc0 0000000040bddbc0 0000000040bddbc0 [1274934.746891 ] r16-19 0000000040bde3c0 0000000040bddbc0 0000000040bde3c0 0000000000000007 [1274934.746891] r20-23 0000000000000006 000000004a368950 0000000000000000 0000000000000001 [1274934.746891 ] r24-27 0000000000001fff 000000000800000e 000000004a1710f0 0000000040b693c0 [1274934.746891] r28-31 0000000000000001 00000000 41f988b0 0000000041f98840 000000004a171118 [1274934.746891] sr00-03 00000000066e5800 0000000000000000 0000000000000000 000000 00066e5800 [1274934.746891] sr04-07 0000000000000000 0000000000000000 00000000000000000 0000000000000000 [1274934.746891] [1274934.746891] IASQ: 0000000000000000 00000000000000000 IAOQ: 00000000406760e8 00000000406760 ec [1274934.746891] IIR: 48780030 ISR: 0000000000000000 IOR: 0000004140000018 [1274934.746891] CPU: 3 CR30: 00000040e3a9c000 CR31: 1274934.746891] ORIG_R28: 0000000040acdd58 [1274934.746891] IAOQ[ 0]: sba_unmap_sg+0xb0/0x118 [1274934.746891] IAOQ[1]: sba_unmap_sg+0xb4/0x118 [1274934.746891] RP(r2): sba_unmap_sg+0xac/0x118 [1274934.746891] seguimiento: [1274934.746891] [\u0026lt;00000000402740cc\u0026gt;] dma_unmap_sg_attrs+0x6c /0x70 [1274934.746891] [\u0026lt;000000004074d6bc\u0026gt;] scsi_dma_unmap+0x54/0x60 [1274934.746891] [\u0026lt;00000000407a3488\u0026gt;] mptscsih_io_done+0x150/0xd70 4.746891] [\u0026lt;0000000040798600\u0026gt;] mpt_interrupt+0x168/0xa68 [1274934.746891] [\u0026lt;0000000040255a48\u0026gt;] __handle_irq_event_percpu +0xc8/0x278 [1274934.746891] [\u0026lt;0000000040255c34\u0026gt;] handle_irq_event_percpu+0x3c/0xd8 [1274934.746891] [\u0026lt;000000004025ecb4\u0026gt;] handle_percpu_irq+0xb4/0xf0 [1 274934.746891] [\u0026lt;00000000402548e0\u0026gt;] generic_handle_irq+0x50/0x70 [1274934.746891] [\u0026lt;000000004019a254\u0026gt; ] call_on_stack+0x18/0x24 [1274934.746891] [1274934.746891] P\u00e1nico del kernel - no se sincroniza: Direcci\u00f3n incorrecta (\u00bfpuntero nulo deref?) El error se debe a que se sobrepasa sglist y se prueba incorrectamente sg_dma_len(sglist) antes de nents. Normalmente esto no causa un bloqueo, pero en este caso sglist cruz\u00f3 el l\u00edmite de una p\u00e1gina. Esto ocurre en el siguiente c\u00f3digo: while (sg_dma_len(sglist) \u0026amp;\u0026amp; nents--) { La soluci\u00f3n es simplemente probar nents primero y mover la disminuci\u00f3n de nents al bucle."
    }
  ],
  "id": "CVE-2022-48795",
  "lastModified": "2024-11-21T07:34:02.450",
  "metrics": {},
  "published": "2024-07-16T12:15:04.220",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/867e50231c7605547d9334904d70a181f39f2d9e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8c8e949ae81e7f5ab58f9f9f8e9b573b93173dd2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b7d6f44a0fa716a82969725516dc0b16bc7cd514"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/de75676ee99bf9f25b1124ff301b3f7b8ba597d4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e40ae3133ed87d6d526f3c8fc6a5f9a2d72dcdbf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/efccc9b0c7e28d0eb7918a236e59f60dc23db4c3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f23f0444ead4d941165aa82ce2fcbb997dc00e97"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f8f519d7df66c334b5e08f896ac70ee3b53add3b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/867e50231c7605547d9334904d70a181f39f2d9e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/8c8e949ae81e7f5ab58f9f9f8e9b573b93173dd2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/b7d6f44a0fa716a82969725516dc0b16bc7cd514"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/de75676ee99bf9f25b1124ff301b3f7b8ba597d4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/e40ae3133ed87d6d526f3c8fc6a5f9a2d72dcdbf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/efccc9b0c7e28d0eb7918a236e59f60dc23db4c3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/f23f0444ead4d941165aa82ce2fcbb997dc00e97"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/f8f519d7df66c334b5e08f896ac70ee3b53add3b"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.