CVE-2022-50320 (GCVE-0-2022-50320)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:48 – Updated: 2025-12-23 13:28
VLAI?
Title
ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys address
Summary
In the Linux kernel, the following vulnerability has been resolved: ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys address On a Packard Bell Dot SC (Intel Atom N2600 model) there is a FPDT table which contains invalid physical addresses, with high bits set which fall outside the range of the CPU-s supported physical address range. Calling acpi_os_map_memory() on such an invalid phys address leads to the below WARN_ON in ioremap triggering resulting in an oops/stacktrace. Add code to verify the physical address before calling acpi_os_map_memory() to fix / avoid the oops. [ 1.226900] ioremap: invalid physical address 3001000000000000 [ 1.226949] ------------[ cut here ]------------ [ 1.226962] WARNING: CPU: 1 PID: 1 at arch/x86/mm/ioremap.c:200 __ioremap_caller.cold+0x43/0x5f [ 1.226996] Modules linked in: [ 1.227016] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc3+ #490 [ 1.227029] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013 [ 1.227038] RIP: 0010:__ioremap_caller.cold+0x43/0x5f [ 1.227054] Code: 96 00 00 e9 f8 af 24 ff 89 c6 48 c7 c7 d8 0c 84 99 e8 6a 96 00 00 e9 76 af 24 ff 48 89 fe 48 c7 c7 a8 0c 84 99 e8 56 96 00 00 <0f> 0b e9 60 af 24 ff 48 8b 34 24 48 c7 c7 40 0d 84 99 e8 3f 96 00 [ 1.227067] RSP: 0000:ffffb18c40033d60 EFLAGS: 00010286 [ 1.227084] RAX: 0000000000000032 RBX: 3001000000000000 RCX: 0000000000000000 [ 1.227095] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff [ 1.227105] RBP: 3001000000000000 R08: 0000000000000000 R09: ffffb18c40033c18 [ 1.227115] R10: 0000000000000003 R11: ffffffff99d62fe8 R12: 0000000000000008 [ 1.227124] R13: 0003001000000000 R14: 0000000000001000 R15: 3001000000000000 [ 1.227135] FS: 0000000000000000(0000) GS:ffff913a3c080000(0000) knlGS:0000000000000000 [ 1.227146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1.227156] CR2: 0000000000000000 CR3: 0000000018c26000 CR4: 00000000000006e0 [ 1.227167] Call Trace: [ 1.227176] <TASK> [ 1.227185] ? acpi_os_map_iomem+0x1c9/0x1e0 [ 1.227215] ? kmem_cache_alloc_trace+0x187/0x370 [ 1.227254] acpi_os_map_iomem+0x1c9/0x1e0 [ 1.227288] acpi_init_fpdt+0xa8/0x253 [ 1.227308] ? acpi_debugfs_init+0x1f/0x1f [ 1.227339] do_one_initcall+0x5a/0x300 [ 1.227406] ? rcu_read_lock_sched_held+0x3f/0x80 [ 1.227442] kernel_init_freeable+0x28b/0x2cc [ 1.227512] ? rest_init+0x170/0x170 [ 1.227538] kernel_init+0x16/0x140 [ 1.227552] ret_from_fork+0x1f/0x30 [ 1.227639] </TASK> [ 1.227647] irq event stamp: 186819 [ 1.227656] hardirqs last enabled at (186825): [<ffffffff98184a6e>] __up_console_sem+0x5e/0x70 [ 1.227672] hardirqs last disabled at (186830): [<ffffffff98184a53>] __up_console_sem+0x43/0x70 [ 1.227686] softirqs last enabled at (186576): [<ffffffff980fbc9d>] __irq_exit_rcu+0xed/0x160 [ 1.227701] softirqs last disabled at (186569): [<ffffffff980fbc9d>] __irq_exit_rcu+0xed/0x160 [ 1.227715] ---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d1eb86e59be09c12447fcb959783cbc70a9bec01 , < 30eca146c89d216dda95868ce00a2d35cf73d5a4 (git)
Affected: d1eb86e59be09c12447fcb959783cbc70a9bec01 , < 90bfc9ae875dfbed2e6089516520204cd431dba3 (git)
Affected: d1eb86e59be09c12447fcb959783cbc70a9bec01 , < 16046a716c8e1f447909bec9b478d58e6e25e513 (git)
Affected: d1eb86e59be09c12447fcb959783cbc70a9bec01 , < 211391bf04b3c74e250c566eeff9cf808156c693 (git)
Create a notification for this product.
    Linux Linux Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpi_fpdt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "30eca146c89d216dda95868ce00a2d35cf73d5a4",
              "status": "affected",
              "version": "d1eb86e59be09c12447fcb959783cbc70a9bec01",
              "versionType": "git"
            },
            {
              "lessThan": "90bfc9ae875dfbed2e6089516520204cd431dba3",
              "status": "affected",
              "version": "d1eb86e59be09c12447fcb959783cbc70a9bec01",
              "versionType": "git"
            },
            {
              "lessThan": "16046a716c8e1f447909bec9b478d58e6e25e513",
              "status": "affected",
              "version": "d1eb86e59be09c12447fcb959783cbc70a9bec01",
              "versionType": "git"
            },
            {
              "lessThan": "211391bf04b3c74e250c566eeff9cf808156c693",
              "status": "affected",
              "version": "d1eb86e59be09c12447fcb959783cbc70a9bec01",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpi_fpdt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: tables: FPDT: Don\u0027t call acpi_os_map_memory() on invalid phys address\n\nOn a Packard Bell Dot SC (Intel Atom N2600 model) there is a FPDT table\nwhich contains invalid physical addresses, with high bits set which fall\noutside the range of the CPU-s supported physical address range.\n\nCalling acpi_os_map_memory() on such an invalid phys address leads to\nthe below WARN_ON in ioremap triggering resulting in an oops/stacktrace.\n\nAdd code to verify the physical address before calling acpi_os_map_memory()\nto fix / avoid the oops.\n\n[    1.226900] ioremap: invalid physical address 3001000000000000\n[    1.226949] ------------[ cut here ]------------\n[    1.226962] WARNING: CPU: 1 PID: 1 at arch/x86/mm/ioremap.c:200 __ioremap_caller.cold+0x43/0x5f\n[    1.226996] Modules linked in:\n[    1.227016] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc3+ #490\n[    1.227029] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[    1.227038] RIP: 0010:__ioremap_caller.cold+0x43/0x5f\n[    1.227054] Code: 96 00 00 e9 f8 af 24 ff 89 c6 48 c7 c7 d8 0c 84 99 e8 6a 96 00 00 e9 76 af 24 ff 48 89 fe 48 c7 c7 a8 0c 84 99 e8 56 96 00 00 \u003c0f\u003e 0b e9 60 af 24 ff 48 8b 34 24 48 c7 c7 40 0d 84 99 e8 3f 96 00\n[    1.227067] RSP: 0000:ffffb18c40033d60 EFLAGS: 00010286\n[    1.227084] RAX: 0000000000000032 RBX: 3001000000000000 RCX: 0000000000000000\n[    1.227095] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff\n[    1.227105] RBP: 3001000000000000 R08: 0000000000000000 R09: ffffb18c40033c18\n[    1.227115] R10: 0000000000000003 R11: ffffffff99d62fe8 R12: 0000000000000008\n[    1.227124] R13: 0003001000000000 R14: 0000000000001000 R15: 3001000000000000\n[    1.227135] FS:  0000000000000000(0000) GS:ffff913a3c080000(0000) knlGS:0000000000000000\n[    1.227146] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    1.227156] CR2: 0000000000000000 CR3: 0000000018c26000 CR4: 00000000000006e0\n[    1.227167] Call Trace:\n[    1.227176]  \u003cTASK\u003e\n[    1.227185]  ? acpi_os_map_iomem+0x1c9/0x1e0\n[    1.227215]  ? kmem_cache_alloc_trace+0x187/0x370\n[    1.227254]  acpi_os_map_iomem+0x1c9/0x1e0\n[    1.227288]  acpi_init_fpdt+0xa8/0x253\n[    1.227308]  ? acpi_debugfs_init+0x1f/0x1f\n[    1.227339]  do_one_initcall+0x5a/0x300\n[    1.227406]  ? rcu_read_lock_sched_held+0x3f/0x80\n[    1.227442]  kernel_init_freeable+0x28b/0x2cc\n[    1.227512]  ? rest_init+0x170/0x170\n[    1.227538]  kernel_init+0x16/0x140\n[    1.227552]  ret_from_fork+0x1f/0x30\n[    1.227639]  \u003c/TASK\u003e\n[    1.227647] irq event stamp: 186819\n[    1.227656] hardirqs last  enabled at (186825): [\u003cffffffff98184a6e\u003e] __up_console_sem+0x5e/0x70\n[    1.227672] hardirqs last disabled at (186830): [\u003cffffffff98184a53\u003e] __up_console_sem+0x43/0x70\n[    1.227686] softirqs last  enabled at (186576): [\u003cffffffff980fbc9d\u003e] __irq_exit_rcu+0xed/0x160\n[    1.227701] softirqs last disabled at (186569): [\u003cffffffff980fbc9d\u003e] __irq_exit_rcu+0xed/0x160\n[    1.227715] ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:28:19.926Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/30eca146c89d216dda95868ce00a2d35cf73d5a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/90bfc9ae875dfbed2e6089516520204cd431dba3"
        },
        {
          "url": "https://git.kernel.org/stable/c/16046a716c8e1f447909bec9b478d58e6e25e513"
        },
        {
          "url": "https://git.kernel.org/stable/c/211391bf04b3c74e250c566eeff9cf808156c693"
        }
      ],
      "title": "ACPI: tables: FPDT: Don\u0027t call acpi_os_map_memory() on invalid phys address",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50320",
    "datePublished": "2025-09-15T14:48:53.475Z",
    "dateReserved": "2025-09-15T14:18:36.814Z",
    "dateUpdated": "2025-12-23T13:28:19.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.