GHSA-CC84-PQV3-62XJ

Vulnerability from github – Published: 2025-10-22 21:31 – Updated: 2025-10-22 21:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: fix dma queue left shift overflow issue

When queue number is > 4, left shift overflows due to 32 bits integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.

If CONFIG_UBSAN is enabled, kernel dumps below warning: [ 10.363842] ================================================================== [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 [ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 [ 10.363958] Call Trace: [ 10.363960] [ 10.363963] dump_stack_lvl+0x4a/0x5f [ 10.363971] dump_stack+0x10/0x12 [ 10.363974] ubsan_epilogue+0x9/0x45 [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e [ 10.363979] ? wake_up_klogd+0x4a/0x50 [ 10.363983] ? vprintk_emit+0x8f/0x240 [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] [ 10.364050] __dev_open+0xf0/0x1a0 [ 10.364054] __dev_change_flags+0x188/0x1f0 [ 10.364057] dev_change_flags+0x26/0x60 [ 10.364059] do_setlink+0x908/0xc40 [ 10.364062] ? do_setlink+0xb10/0xc40 [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 [ 10.364068] __rtnl_newlink+0x597/0xa10 [ 10.364072] ? __nla_reserve+0x41/0x50 [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 [ 10.364079] ? pskb_expand_head+0x75/0x310 [ 10.364082] ? nla_reserve_64bit+0x21/0x40 [ 10.364086] ? skb_free_head+0x65/0x80 [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 [ 10.364094] ? __cond_resched+0x19/0x30 [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 [ 10.364100] rtnl_newlink+0x49/0x70

This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue mapping warning.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195

Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:34Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix dma queue left shift overflow issue\n\nWhen queue number is \u003e 4, left shift overflows due to 32 bits\ninteger variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.\n\nIf CONFIG_UBSAN is enabled, kernel dumps below warning:\n[   10.363842] ==================================================================\n[   10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/\nlinux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12\n[   10.363929] shift exponent 40 is too large for 32-bit type \u0027unsigned int\u0027\n[   10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg\n[   10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021\n[   10.363958] Call Trace:\n[   10.363960]  \u003cTASK\u003e\n[   10.363963]  dump_stack_lvl+0x4a/0x5f\n[   10.363971]  dump_stack+0x10/0x12\n[   10.363974]  ubsan_epilogue+0x9/0x45\n[   10.363976]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e\n[   10.363979]  ? wake_up_klogd+0x4a/0x50\n[   10.363983]  ? vprintk_emit+0x8f/0x240\n[   10.363986]  dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]\n[   10.364001]  stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]\n[   10.364009]  ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]\n[   10.364020]  stmmac_hw_setup.cold+0xf/0xb14 [stmmac]\n[   10.364030]  ? page_pool_alloc_pages+0x4d/0x70\n[   10.364034]  ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]\n[   10.364042]  stmmac_open+0x39e/0x920 [stmmac]\n[   10.364050]  __dev_open+0xf0/0x1a0\n[   10.364054]  __dev_change_flags+0x188/0x1f0\n[   10.364057]  dev_change_flags+0x26/0x60\n[   10.364059]  do_setlink+0x908/0xc40\n[   10.364062]  ? do_setlink+0xb10/0xc40\n[   10.364064]  ? __nla_validate_parse+0x4c/0x1a0\n[   10.364068]  __rtnl_newlink+0x597/0xa10\n[   10.364072]  ? __nla_reserve+0x41/0x50\n[   10.364074]  ? __kmalloc_node_track_caller+0x1d0/0x4d0\n[   10.364079]  ? pskb_expand_head+0x75/0x310\n[   10.364082]  ? nla_reserve_64bit+0x21/0x40\n[   10.364086]  ? skb_free_head+0x65/0x80\n[   10.364089]  ? security_sock_rcv_skb+0x2c/0x50\n[   10.364094]  ? __cond_resched+0x19/0x30\n[   10.364097]  ? kmem_cache_alloc_trace+0x15a/0x420\n[   10.364100]  rtnl_newlink+0x49/0x70\n\nThis change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue\nmapping warning.\n\nBugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195",
  "id": "GHSA-cc84-pqv3-62xj",
  "modified": "2025-10-22T21:31:17Z",
  "published": "2025-10-22T21:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49592"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/508d86ead36cbd8dfb60773a33276790d668c473"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/573768dede0e2b7de38ecbc11cb3ee47643902dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/613b065ca32e90209024ec4a6bb5ca887ee70980"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c687a893f5cae5ca40d189635602e93af9bab73"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a3ac79f38d354b10925824899cdbd2caadce55ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ad2febdfbd01e1d092a08bfdba92ede79ea05ff3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e846bde09677fa3b203057846620b7ed96540f5f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.