CVE-2022-48980: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() The SJA1105 family has 45 L2 policing table entries (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but accounting for the difference in port count (5 in SJA1105 vs 10 in SJA1110) does not fully explain the difference. Rather, the SJA1110 also has L2 ingress policers for multicast traffic. If a packet is classified as multicast, it will be processed by the policer index 99 + SRCPORT. The sja1105_init_l2_policing() function initializes all L2 policers such that they don't interfere with normal packet reception by default. To have a common code between SJA1105 and SJA1110, the index of the multicast policer for the port is calculated because it's an index that is out of bounds for SJA1105 but in bounds for SJA1110, and a bounds check is performed. The code fails to do the proper thing when determining what to do with the multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast" index will be equal to 45, which is also equal to table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes through the check. But at the same time, SJA1105 doesn't have multicast policers. So the code programs the SHARINDX field of an out-of-bounds element in the L2 Policing table of the static config. The comparison between index 45 and 45 entries should have determined the code to not access this policer index on SJA1105, since its memory wasn't even allocated. With enough bad luck, the out-of-bounds write could even overwrite other valid kernel data, but in this case, the issue was detected using KASAN. Kernel log: sja1105 spi5.0: Probed switch chip: SJA1105Q ================================================================== BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340 Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8 ... Workqueue: events_unbound deferred_probe_work_func Call trace: ... sja1105_setup+0x1cbc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ... Allocated by task 8: ... sja1105_setup+0x1bcc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ...
AI Analysis
Technical Summary
CVE-2022-48980 is a vulnerability in the Linux kernel's Distributed Switch Architecture (DSA) driver for the NXP SJA1105 family of automotive Ethernet switches. Specifically, the flaw exists in the sja1105_init_l2_policing() function, which initializes Layer 2 (L2) policing tables used for traffic rate limiting. The SJA1105 switch supports 45 L2 policing entries, while the newer SJA1110 supports 110 entries, including additional multicast ingress policers. To maintain common code for both devices, the driver calculates multicast policer indices. However, for the SJA1105 device, the multicast policer index for port 0 is calculated as 45, which equals the maximum number of entries and thus passes a bounds check incorrectly. Since SJA1105 does not have multicast policers, this index is out-of-bounds and leads to an out-of-bounds write when the driver programs the SHARINDX field in the L2 policing table. This memory corruption can potentially overwrite other kernel data structures. The issue was detected by the Kernel Address Sanitizer (KASAN) during testing, indicating a write of size 8 bytes beyond allocated memory. The vulnerability arises from improper boundary checking and differences in hardware capabilities between SJA1105 and SJA1110 devices. While no known exploits are reported in the wild, the flaw could lead to kernel memory corruption, causing system instability, crashes, or potentially privilege escalation if exploited. The vulnerability affects Linux kernel versions containing the vulnerable driver code, as identified by the provided commit hashes. No CVSS score is assigned yet, and no patches are linked in the provided data, but the issue is publicly disclosed and classified as a vulnerability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected DSA driver and using NXP SJA1105 Ethernet switches. These switches are commonly deployed in automotive, industrial, and embedded networking environments. The out-of-bounds write could lead to kernel crashes (denial of service) or potentially be leveraged for privilege escalation attacks, compromising system integrity and availability. Organizations relying on embedded Linux devices in critical infrastructure, automotive manufacturing, or industrial control systems could face operational disruptions. Given the kernel-level nature of the vulnerability, successful exploitation could undermine the security of networked devices, leading to broader network compromise. However, exploitation requires the presence of the specific hardware and vulnerable driver, limiting the attack surface. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks. European entities with supply chains or products incorporating these switches should be vigilant. The vulnerability also highlights the importance of secure driver development and hardware-specific boundary checks in embedded Linux systems.
Mitigation Recommendations
To mitigate this vulnerability, organizations should: 1) Identify and inventory Linux systems using the NXP SJA1105 family switches and verify kernel versions and driver code for the presence of the vulnerable sja1105_init_l2_policing() function. 2) Apply vendor-supplied patches or Linux kernel updates that fix the boundary check logic in the DSA driver once available. If patches are not yet released, consider backporting the fix from the latest kernel source or disabling the affected DSA driver module if feasible. 3) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 4) Limit access to affected devices and restrict untrusted user or network input that could trigger the vulnerable code path. 5) Monitor kernel logs for KASAN or other memory error reports indicating exploitation attempts. 6) Engage with hardware vendors to confirm firmware and driver updates addressing this issue. 7) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation. These steps go beyond generic advice by focusing on hardware-specific driver identification, proactive detection, and coordination with vendors for embedded device security.
Affected Countries
Germany, France, Italy, United Kingdom, Netherlands, Sweden, Finland
CVE-2022-48980: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() The SJA1105 family has 45 L2 policing table entries (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but accounting for the difference in port count (5 in SJA1105 vs 10 in SJA1110) does not fully explain the difference. Rather, the SJA1110 also has L2 ingress policers for multicast traffic. If a packet is classified as multicast, it will be processed by the policer index 99 + SRCPORT. The sja1105_init_l2_policing() function initializes all L2 policers such that they don't interfere with normal packet reception by default. To have a common code between SJA1105 and SJA1110, the index of the multicast policer for the port is calculated because it's an index that is out of bounds for SJA1105 but in bounds for SJA1110, and a bounds check is performed. The code fails to do the proper thing when determining what to do with the multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast" index will be equal to 45, which is also equal to table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes through the check. But at the same time, SJA1105 doesn't have multicast policers. So the code programs the SHARINDX field of an out-of-bounds element in the L2 Policing table of the static config. The comparison between index 45 and 45 entries should have determined the code to not access this policer index on SJA1105, since its memory wasn't even allocated. With enough bad luck, the out-of-bounds write could even overwrite other valid kernel data, but in this case, the issue was detected using KASAN. Kernel log: sja1105 spi5.0: Probed switch chip: SJA1105Q ================================================================== BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340 Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8 ... Workqueue: events_unbound deferred_probe_work_func Call trace: ... sja1105_setup+0x1cbc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ... Allocated by task 8: ... sja1105_setup+0x1bcc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ...
AI-Powered Analysis
Technical Analysis
CVE-2022-48980 is a vulnerability in the Linux kernel's Distributed Switch Architecture (DSA) driver for the NXP SJA1105 family of automotive Ethernet switches. Specifically, the flaw exists in the sja1105_init_l2_policing() function, which initializes Layer 2 (L2) policing tables used for traffic rate limiting. The SJA1105 switch supports 45 L2 policing entries, while the newer SJA1110 supports 110 entries, including additional multicast ingress policers. To maintain common code for both devices, the driver calculates multicast policer indices. However, for the SJA1105 device, the multicast policer index for port 0 is calculated as 45, which equals the maximum number of entries and thus passes a bounds check incorrectly. Since SJA1105 does not have multicast policers, this index is out-of-bounds and leads to an out-of-bounds write when the driver programs the SHARINDX field in the L2 policing table. This memory corruption can potentially overwrite other kernel data structures. The issue was detected by the Kernel Address Sanitizer (KASAN) during testing, indicating a write of size 8 bytes beyond allocated memory. The vulnerability arises from improper boundary checking and differences in hardware capabilities between SJA1105 and SJA1110 devices. While no known exploits are reported in the wild, the flaw could lead to kernel memory corruption, causing system instability, crashes, or potentially privilege escalation if exploited. The vulnerability affects Linux kernel versions containing the vulnerable driver code, as identified by the provided commit hashes. No CVSS score is assigned yet, and no patches are linked in the provided data, but the issue is publicly disclosed and classified as a vulnerability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected DSA driver and using NXP SJA1105 Ethernet switches. These switches are commonly deployed in automotive, industrial, and embedded networking environments. The out-of-bounds write could lead to kernel crashes (denial of service) or potentially be leveraged for privilege escalation attacks, compromising system integrity and availability. Organizations relying on embedded Linux devices in critical infrastructure, automotive manufacturing, or industrial control systems could face operational disruptions. Given the kernel-level nature of the vulnerability, successful exploitation could undermine the security of networked devices, leading to broader network compromise. However, exploitation requires the presence of the specific hardware and vulnerable driver, limiting the attack surface. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks. European entities with supply chains or products incorporating these switches should be vigilant. The vulnerability also highlights the importance of secure driver development and hardware-specific boundary checks in embedded Linux systems.
Mitigation Recommendations
To mitigate this vulnerability, organizations should: 1) Identify and inventory Linux systems using the NXP SJA1105 family switches and verify kernel versions and driver code for the presence of the vulnerable sja1105_init_l2_policing() function. 2) Apply vendor-supplied patches or Linux kernel updates that fix the boundary check logic in the DSA driver once available. If patches are not yet released, consider backporting the fix from the latest kernel source or disabling the affected DSA driver module if feasible. 3) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 4) Limit access to affected devices and restrict untrusted user or network input that could trigger the vulnerable code path. 5) Monitor kernel logs for KASAN or other memory error reports indicating exploitation attempts. 6) Engage with hardware vendors to confirm firmware and driver updates addressing this issue. 7) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation. These steps go beyond generic advice by focusing on hardware-specific driver identification, proactive detection, and coordination with vendors for embedded device security.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.632Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe67ff
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 12:42:57 AM
Last updated: 8/17/2025, 9:40:42 PM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.