CVE-2022-49320

MEDIUM

Linux Kernel 4.8-5.18.4 - Integer Overflow in ZynqMP DMA Channel Descriptor Allocation

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type In zynqmp_dma_alloc/free_chan_resources functions there is a potential overflow in the below expressions. dma_alloc_coherent(chan->dev, (2 * chan->desc_size * ZYNQMP_DMA_NUM_DESCS), &chan->desc_pool_p, GFP_KERNEL); dma_free_coherent(chan->dev,(2 * ZYNQMP_DMA_DESC_SIZE(chan) * ZYNQMP_DMA_NUM_DESCS), chan->desc_pool_v, chan->desc_pool_p); The arguments desc_size and ZYNQMP_DMA_NUM_DESCS were 32 bit. Though this overflow condition is not observed but it is a potential problem in the case of 32-bit multiplication. Hence fix it by changing the desc_size data type to size_t. In addition to coverity fix it also reuse ZYNQMP_DMA_DESC_SIZE macro in dma_alloc_coherent API argument. Addresses-Coverity: Event overflow_before_widen.

References (6)

Core 6

Scores

CVSS v3 5.5
EPSS 0.0025
EPSS Percentile 15.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-190
Status published
Products (20)
linux/Kernel 4.8.0 - 5.4.198linux
linux/Kernel 5.11.0 - 5.15.47linux
linux/Kernel 5.16.0 - 5.17.15linux
linux/Kernel 5.18.0 - 5.18.4linux
linux/Kernel 5.5.0 - 5.10.122linux
Linux/Linux < 4.8
Linux/Linux 4.8
Linux/Linux 5.10.122 - 5.10.*
Linux/Linux 5.15.47 - 5.15.*
Linux/Linux 5.17.15 - 5.17.*
... and 10 more
Published Feb 26, 2025
Tracked Since Feb 18, 2026