CVE-2022-49073 Information

Description

In the Linux kernel the following vulnerability has been resolved:

ata: sata_dwc_460ex: Fix crash due to OOB write

the driver uses libata’s ag\ values from in various arrays. Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32 the value of the SATA_DWC_QCMD_MAX needs to account for that.

Otherwise ATA_TAG_INTERNAL usage cause similar crashes like this as reported by Tice Rex on the OpenWrt Forum and reproduced (with symbols) here:

| BUG: Kernel NULL pointer dereference at 0x00000000 | Faulting instruction address: 0xc03ed4b8 | Oops: Kernel access of bad area sig: 11 [1] | BE PAGE_SIZE=4K PowerPC 44x Platform | CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 0 | NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c | REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163) | MSR: 00021000 CR: 42000222 XER: 00000000 | DEAR: 00000000 ESR: 00000000 | GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 […] | [..] | NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254 | LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc | Call Trace: | [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable) | [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc | [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524 | [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0 | [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204 | [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130 | […]

This is because sata_dwc_dma_xfer_complete() NULLs the dma_pending’s next neighbour ## Reference https://git.kernel.org/stable/c/234c0132f76f0676d175757f61b0025191a3d935 https://git.kernel.org/stable/c/3a8751c0d4e24129e72dcec0139e99833b13904a https://git.kernel.org/stable/c/55e1465ba79562a191708a40eeae3f8082a209e3 https://git.kernel.org/stable/c/596c7efd69aae94f4b0e91172b075eb197958b99 https://git.kernel.org/stable/c/7aa8104a554713b685db729e66511b93d989dd6a https://git.kernel.org/stable/c/8a05a6952ecd59aaa62cbdcdaf523ae2c8f436e8 https://git.kernel.org/stable/c/fc629224aa62f23849cae83717932985ac51232d