CVE-2022-49073: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ata: sata_dwc_460ex: Fix crash due to OOB write the driver uses libata's "tag" values from in various arrays. Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32, the value of the SATA_DWC_QCMD_MAX needs to account for that. Otherwise ATA_TAG_INTERNAL usage cause similar crashes like this as reported by Tice Rex on the OpenWrt Forum and reproduced (with symbols) here: | BUG: Kernel NULL pointer dereference at 0x00000000 | Faulting instruction address: 0xc03ed4b8 | Oops: Kernel access of bad area, sig: 11 [#1] | BE PAGE_SIZE=4K PowerPC 44x Platform | CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0 | NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c | REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163) | MSR: 00021000 <CE,ME> CR: 42000222 XER: 00000000 | DEAR: 00000000 ESR: 00000000 | GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...] | [..] | NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254 | LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc | Call Trace: | [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable) | [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc | [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524 | [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0 | [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204 | [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130 | [...] This is because sata_dwc_dma_xfer_complete() NULLs the dma_pending's next neighbour "chan" (a *dma_chan struct) in this '32' case right here (line ~735): > hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE; Then the next time, a dma gets issued; dma_dwc_xfer_setup() passes the NULL'd hsdevp->chan to the dmaengine_slave_config() which then causes the crash. With this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1. This avoids the OOB. But please note, there was a worthwhile discussion on what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not be a "fake" 33 command-long queue size. Ideally, the dw driver should account for the ATA_TAG_INTERNAL. In Damien Le Moal's words: "... having looked at the driver, it is a bigger change than just faking a 33rd "tag" that is in fact not a command tag at all." BugLink: https://github.com/openwrt/openwrt/issues/9505
AI Analysis
Technical Summary
CVE-2022-49073 is a vulnerability identified in the Linux kernel's SATA driver, specifically in the sata_dwc_460ex driver which handles SATA devices using the DesignWare Cores 460EX SATA controller. The root cause of the vulnerability is an out-of-bounds (OOB) write triggered by improper handling of ATA tag values within the driver. The Linux kernel uses libata's "tag" values to index various arrays related to command queueing for ATA devices. A recent patch increased the value of ATA_TAG_INTERNAL to 32, but the SATA_DWC_QCMD_MAX constant, which defines the maximum queue size for the driver, was not updated accordingly. This mismatch leads to an OOB write when the driver attempts to access or modify array elements beyond their allocated bounds. Specifically, the vulnerability manifests when sata_dwc_dma_xfer_complete() function nullifies a dma_pending entry corresponding to a tag value, and subsequent DMA operations attempt to use a NULL dma_chan pointer, causing a kernel NULL pointer dereference and crash (kernel oops). The crash logs indicate a faulting instruction in sata_dwc_qc_issue(), which is part of the command issuance path. The vulnerability can cause system instability and denial of service due to kernel crashes. The patch to fix this issue involves increasing SATA_DWC_QCMD_MAX to ATA_MAX_QUEUE + 1, thereby preventing OOB access. However, this is a workaround rather than a full architectural fix, as the driver should ideally be refactored to properly handle ATA_TAG_INTERNAL without relying on a "fake" extended queue size. The vulnerability was reported and reproduced on OpenWrt systems running Linux kernel 5.4.163 on PowerPC 44x platforms, but the underlying issue affects the Linux kernel SATA driver codebase. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected sata_dwc_460ex driver, which is common in embedded devices, network equipment, and some server environments using DesignWare SATA controllers. The impact is mainly denial of service through kernel crashes, which can disrupt critical services, cause data loss if crashes occur during disk operations, and potentially lead to system instability. Organizations relying on embedded Linux devices such as routers, industrial control systems, or specialized hardware with this SATA controller are particularly at risk. While this vulnerability does not directly enable privilege escalation or remote code execution, the resulting denial of service can have significant operational impacts, especially in environments requiring high availability. Additionally, the crash could be triggered remotely if an attacker can induce SATA commands that exercise the vulnerable code path, increasing the threat surface. European sectors such as telecommunications, manufacturing, and critical infrastructure that deploy embedded Linux devices with this hardware are most vulnerable. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential exploitation and service disruption.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the SATA driver by adjusting SATA_DWC_QCMD_MAX to ATA_MAX_QUEUE + 1 or later kernel versions where this vulnerability is resolved. 2. For embedded devices or systems where kernel upgrades are challenging, coordinate with device vendors or maintainers to obtain patched firmware or kernel images. 3. Implement monitoring for kernel oops or crashes related to SATA operations to detect potential exploitation attempts or instability. 4. Restrict access to systems with affected hardware to trusted users and networks to reduce the risk of triggering the vulnerability. 5. Conduct thorough testing of updated kernels in staging environments before deployment to ensure stability and compatibility. 6. For critical systems, consider fallback or redundancy mechanisms to maintain availability in case of unexpected crashes. 7. Engage with hardware and software vendors to confirm whether their products are affected and track updates. 8. Review and harden system configurations to minimize exposure of SATA device interfaces to untrusted inputs or remote attackers.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
CVE-2022-49073: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ata: sata_dwc_460ex: Fix crash due to OOB write the driver uses libata's "tag" values from in various arrays. Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32, the value of the SATA_DWC_QCMD_MAX needs to account for that. Otherwise ATA_TAG_INTERNAL usage cause similar crashes like this as reported by Tice Rex on the OpenWrt Forum and reproduced (with symbols) here: | BUG: Kernel NULL pointer dereference at 0x00000000 | Faulting instruction address: 0xc03ed4b8 | Oops: Kernel access of bad area, sig: 11 [#1] | BE PAGE_SIZE=4K PowerPC 44x Platform | CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0 | NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c | REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163) | MSR: 00021000 <CE,ME> CR: 42000222 XER: 00000000 | DEAR: 00000000 ESR: 00000000 | GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...] | [..] | NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254 | LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc | Call Trace: | [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable) | [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc | [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524 | [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0 | [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204 | [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130 | [...] This is because sata_dwc_dma_xfer_complete() NULLs the dma_pending's next neighbour "chan" (a *dma_chan struct) in this '32' case right here (line ~735): > hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE; Then the next time, a dma gets issued; dma_dwc_xfer_setup() passes the NULL'd hsdevp->chan to the dmaengine_slave_config() which then causes the crash. With this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1. This avoids the OOB. But please note, there was a worthwhile discussion on what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not be a "fake" 33 command-long queue size. Ideally, the dw driver should account for the ATA_TAG_INTERNAL. In Damien Le Moal's words: "... having looked at the driver, it is a bigger change than just faking a 33rd "tag" that is in fact not a command tag at all." BugLink: https://github.com/openwrt/openwrt/issues/9505
AI-Powered Analysis
Technical Analysis
CVE-2022-49073 is a vulnerability identified in the Linux kernel's SATA driver, specifically in the sata_dwc_460ex driver which handles SATA devices using the DesignWare Cores 460EX SATA controller. The root cause of the vulnerability is an out-of-bounds (OOB) write triggered by improper handling of ATA tag values within the driver. The Linux kernel uses libata's "tag" values to index various arrays related to command queueing for ATA devices. A recent patch increased the value of ATA_TAG_INTERNAL to 32, but the SATA_DWC_QCMD_MAX constant, which defines the maximum queue size for the driver, was not updated accordingly. This mismatch leads to an OOB write when the driver attempts to access or modify array elements beyond their allocated bounds. Specifically, the vulnerability manifests when sata_dwc_dma_xfer_complete() function nullifies a dma_pending entry corresponding to a tag value, and subsequent DMA operations attempt to use a NULL dma_chan pointer, causing a kernel NULL pointer dereference and crash (kernel oops). The crash logs indicate a faulting instruction in sata_dwc_qc_issue(), which is part of the command issuance path. The vulnerability can cause system instability and denial of service due to kernel crashes. The patch to fix this issue involves increasing SATA_DWC_QCMD_MAX to ATA_MAX_QUEUE + 1, thereby preventing OOB access. However, this is a workaround rather than a full architectural fix, as the driver should ideally be refactored to properly handle ATA_TAG_INTERNAL without relying on a "fake" extended queue size. The vulnerability was reported and reproduced on OpenWrt systems running Linux kernel 5.4.163 on PowerPC 44x platforms, but the underlying issue affects the Linux kernel SATA driver codebase. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected sata_dwc_460ex driver, which is common in embedded devices, network equipment, and some server environments using DesignWare SATA controllers. The impact is mainly denial of service through kernel crashes, which can disrupt critical services, cause data loss if crashes occur during disk operations, and potentially lead to system instability. Organizations relying on embedded Linux devices such as routers, industrial control systems, or specialized hardware with this SATA controller are particularly at risk. While this vulnerability does not directly enable privilege escalation or remote code execution, the resulting denial of service can have significant operational impacts, especially in environments requiring high availability. Additionally, the crash could be triggered remotely if an attacker can induce SATA commands that exercise the vulnerable code path, increasing the threat surface. European sectors such as telecommunications, manufacturing, and critical infrastructure that deploy embedded Linux devices with this hardware are most vulnerable. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential exploitation and service disruption.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the SATA driver by adjusting SATA_DWC_QCMD_MAX to ATA_MAX_QUEUE + 1 or later kernel versions where this vulnerability is resolved. 2. For embedded devices or systems where kernel upgrades are challenging, coordinate with device vendors or maintainers to obtain patched firmware or kernel images. 3. Implement monitoring for kernel oops or crashes related to SATA operations to detect potential exploitation attempts or instability. 4. Restrict access to systems with affected hardware to trusted users and networks to reduce the risk of triggering the vulnerability. 5. Conduct thorough testing of updated kernels in staging environments before deployment to ensure stability and compatibility. 6. For critical systems, consider fallback or redundancy mechanisms to maintain availability in case of unexpected crashes. 7. Engage with hardware and software vendors to confirm whether their products are affected and track updates. 8. Review and harden system configurations to minimize exposure of SATA device interfaces to untrusted inputs or remote attackers.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.245Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6a87
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 1:56:32 AM
Last updated: 7/29/2025, 2:12:20 AM
Views: 9
Related Threats
CVE-2025-9020: Use After Free in PX4 PX4-Autopilot
LowCVE-2025-8604: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wptb WP Table Builder – WordPress Table Plugin
MediumCVE-2025-9016: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighCVE-2025-8451: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Addons for Elementor – Popular Elementor Templates & Widgets
MediumCVE-2025-8013: CWE-918 Server-Side Request Forgery (SSRF) in quttera Quttera Web Malware Scanner
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.