CVE-2022-50625 - Vulnerability Details

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Link	Providers
https://git.kernel.org/stable/c/1c5f0d3f480abd8c26761b6b1f486822e77faea3
https://git.kernel.org/stable/c/38a10fdd54d17590d45cb1c43b9889da383b6b1a
https://git.kernel.org/stable/c/64bc5dbc3260230e2f022288c71e5c680059384a
https://git.kernel.org/stable/c/78d837ce20517e0c1ff3ebe08ad64636e02c2e48
https://git.kernel.org/stable/c/94cdb9f33698478b0e7062586633c42c6158a786
https://git.kernel.org/stable/c/965f07ea5fd1b9591bcccc825a93ad883e56222c
https://git.kernel.org/stable/c/a4ea20ab82aa2b197dc7b08f51e1d615578276a0
https://git.kernel.org/stable/c/d5b16eb076f46c88d02d41ece5bec4e0d89158bb
https://git.kernel.org/stable/c/d71a611fca1984c0765f9317ff471ac8cd0e3e2f

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: serial: amba-pl011: avoid SBSA UART accessing DMACR register Chapter "B Generic UART" in "ARM Server Base System Architecture" [1] documentation describes a generic UART interface. Such generic UART does not support DMA. In current code, sbsa_uart_pops and amba_pl011_pops share the same stop_rx operation, which will invoke pl011_dma_rx_stop, leading to an access of the DMACR register. This commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the access to DMACR register for SBSA UARTs which does not support DMA. When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux SBSA PL011 driver will access PL011 DMACR register in some functions. For most real SBSA Pl011 hardware implementations, the DMACR write behaviour will be ignored. So these DMACR operations will not cause obvious problems. But for some virtual SBSA PL011 hardware, like Xen virtual SBSA PL011 (vpl011) device, the behaviour might be different. Xen vpl011 emulation will inject a data abort to guest, when guest is accessing an unimplemented UART register. As Xen VPL011 is SBSA compatible, it will not implement DMACR register. So when Linux SBSA PL011 driver access DMACR register, it will get an unhandled data abort fault and the application will get a segmentation fault: Unhandled fault at 0xffffffc00944d048 Mem abort info: ESR = 0x96000000 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x00: ttbr address size fault Data abort info: ISV = 0, ISS = 0x00000000 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000 [ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13 Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP ... Call trace: pl011_stop_rx+0x70/0x80 tty_port_shutdown+0x7c/0xb4 tty_port_close+0x60/0xcc uart_close+0x34/0x8c tty_release+0x144/0x4c0 __fput+0x78/0x220 ____fput+0x1c/0x30 task_work_run+0x88/0xc0 do_notify_resume+0x8d0/0x123c el0_svc+0xa8/0xc0 el0t_64_sync_handler+0xa4/0x130 el0t_64_sync+0x1a0/0x1a4 Code: b9000083 b901f001 794038a0 8b000042 (b9000041) ---[ end trace 83dd93df15c3216f ]--- note: bootlogd[132] exited with preempt_count 1 /etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon This has been discussed in the Xen community, and we think it should fix this in Linux. See [2] for more information. [1] https://developer.arm.com/documentation/den0094/c/?lang=en [2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html
Title		serial: amba-pl011: avoid SBSA UART accessing DMACR register
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1c5f0d3f480abd8c26761b6b1f486822e77faea3 https://git.kernel.org/stable/c/38a10fdd54d17590d45cb1c43b9889da383b6b1a https://git.kernel.org/stable/c/64bc5dbc3260230e2f022288c71e5c680059384a https://git.kernel.org/stable/c/78d837ce20517e0c1ff3ebe08ad64636e02c2e48 https://git.kernel.org/stable/c/94cdb9f33698478b0e7062586633c42c6158a786 https://git.kernel.org/stable/c/965f07ea5fd1b9591bcccc825a93ad883e56222c https://git.kernel.org/stable/c/a4ea20ab82aa2b197dc7b08f51e1d615578276a0 https://git.kernel.org/stable/c/d5b16eb076f46c88d02d41ece5bec4e0d89158bb https://git.kernel.org/stable/c/d71a611fca1984c0765f9317ff471ac8cd0e3e2f

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50625", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-08T01:14:55.190Z", "datePublished": "2025-12-08T01:16:39.642Z", "dateUpdated": "2025-12-08T01:16:39.642Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-08T01:16:39.642Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: amba-pl011: avoid SBSA UART accessing DMACR register\n\nChapter \"B Generic UART\" in \"ARM Server Base System Architecture\" [1]\ndocumentation describes a generic UART interface. Such generic UART\ndoes not support DMA. In current code, sbsa_uart_pops and\namba_pl011_pops share the same stop_rx operation, which will invoke\npl011_dma_rx_stop, leading to an access of the DMACR register. This\ncommit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the\naccess to DMACR register for SBSA UARTs which does not support DMA.\n\nWhen the kernel enables DMA engine with \"CONFIG_DMA_ENGINE=y\", Linux\nSBSA PL011 driver will access PL011 DMACR register in some functions.\nFor most real SBSA Pl011 hardware implementations, the DMACR write\nbehaviour will be ignored. So these DMACR operations will not cause\nobvious problems. But for some virtual SBSA PL011 hardware, like Xen\nvirtual SBSA PL011 (vpl011) device, the behaviour might be different.\nXen vpl011 emulation will inject a data abort to guest, when guest is\naccessing an unimplemented UART register. As Xen VPL011 is SBSA\ncompatible, it will not implement DMACR register. So when Linux SBSA\nPL011 driver access DMACR register, it will get an unhandled data abort\nfault and the application will get a segmentation fault:\nUnhandled fault at 0xffffffc00944d048\nMem abort info:\n ESR = 0x96000000\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x00: ttbr address size fault\nData abort info:\n ISV = 0, ISS = 0x00000000\n CM = 0, WnR = 0\nswapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000\n[ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13\nInternal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP\n...\nCall trace:\n pl011_stop_rx+0x70/0x80\n tty_port_shutdown+0x7c/0xb4\n tty_port_close+0x60/0xcc\n uart_close+0x34/0x8c\n tty_release+0x144/0x4c0\n __fput+0x78/0x220\n ____fput+0x1c/0x30\n task_work_run+0x88/0xc0\n do_notify_resume+0x8d0/0x123c\n el0_svc+0xa8/0xc0\n el0t_64_sync_handler+0xa4/0x130\n el0t_64_sync+0x1a0/0x1a4\nCode: b9000083 b901f001 794038a0 8b000042 (b9000041)\n---[ end trace 83dd93df15c3216f ]---\nnote: bootlogd[132] exited with preempt_count 1\n/etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon\n\nThis has been discussed in the Xen community, and we think it should fix\nthis in Linux. See [2] for more information.\n\n[1] https://developer.arm.com/documentation/den0094/c/?lang=en\n[2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/tty/serial/amba-pl011.c"], "versions": [{"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798", "lessThan": "1c5f0d3f480abd8c26761b6b1f486822e77faea3", "status": "affected", "versionType": "git"}, {"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798", "lessThan": "a4ea20ab82aa2b197dc7b08f51e1d615578276a0", "status": "affected", "versionType": "git"}, {"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798", "lessThan": "78d837ce20517e0c1ff3ebe08ad64636e02c2e48", "status": "affected", "versionType": "git"}, {"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798", "lessThan": "965f07ea5fd1b9591bcccc825a93ad883e56222c", "status": "affected", "versionType": "git"}, {"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798", "lessThan": "d5b16eb076f46c88d02d41ece5bec4e0d89158bb", "status": "affected", "versionType": "git"}, {"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798", "lessThan": "d71a611fca1984c0765f9317ff471ac8cd0e3e2f", "status": "affected", "versionType": "git"}, {"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798", "lessThan": "38a10fdd54d17590d45cb1c43b9889da383b6b1a", "status": "affected", "versionType": "git"}, {"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798", "lessThan": "64bc5dbc3260230e2f022288c71e5c680059384a", "status": "affected", "versionType": "git"}, {"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798", "lessThan": "94cdb9f33698478b0e7062586633c42c6158a786", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/tty/serial/amba-pl011.c"], "versions": [{"version": "4.2", "status": "affected"}, {"version": "0", "lessThan": "4.2", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.337", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.303", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.270", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.229", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.163", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.86", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.16", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.2", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.9.337"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.14.303"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.19.270"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "5.4.229"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "5.10.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "5.15.86"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "6.0.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "6.1.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "6.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1c5f0d3f480abd8c26761b6b1f486822e77faea3"}, {"url": "https://git.kernel.org/stable/c/a4ea20ab82aa2b197dc7b08f51e1d615578276a0"}, {"url": "https://git.kernel.org/stable/c/78d837ce20517e0c1ff3ebe08ad64636e02c2e48"}, {"url": "https://git.kernel.org/stable/c/965f07ea5fd1b9591bcccc825a93ad883e56222c"}, {"url": "https://git.kernel.org/stable/c/d5b16eb076f46c88d02d41ece5bec4e0d89158bb"}, {"url": "https://git.kernel.org/stable/c/d71a611fca1984c0765f9317ff471ac8cd0e3e2f"}, {"url": "https://git.kernel.org/stable/c/38a10fdd54d17590d45cb1c43b9889da383b6b1a"}, {"url": "https://git.kernel.org/stable/c/64bc5dbc3260230e2f022288c71e5c680059384a"}, {"url": "https://git.kernel.org/stable/c/94cdb9f33698478b0e7062586633c42c6158a786"}], "title": "serial: amba-pl011: avoid SBSA UART accessing DMACR register", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: amba-pl011: avoid SBSA UART accessing DMACR register\n\nChapter \"B Generic UART\" in \"ARM Server Base System Architecture\" [1]\ndocumentation describes a generic UART interface. Such generic UART\ndoes not support DMA. In current code, sbsa_uart_pops and\namba_pl011_pops share the same stop_rx operation, which will invoke\npl011_dma_rx_stop, leading to an access of the DMACR register. This\ncommit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the\naccess to DMACR register for SBSA UARTs which does not support DMA.\n\nWhen the kernel enables DMA engine with \"CONFIG_DMA_ENGINE=y\", Linux\nSBSA PL011 driver will access PL011 DMACR register in some functions.\nFor most real SBSA Pl011 hardware implementations, the DMACR write\nbehaviour will be ignored. So these DMACR operations will not cause\nobvious problems. But for some virtual SBSA PL011 hardware, like Xen\nvirtual SBSA PL011 (vpl011) device, the behaviour might be different.\nXen vpl011 emulation will inject a data abort to guest, when guest is\naccessing an unimplemented UART register. As Xen VPL011 is SBSA\ncompatible, it will not implement DMACR register. So when Linux SBSA\nPL011 driver access DMACR register, it will get an unhandled data abort\nfault and the application will get a segmentation fault:\nUnhandled fault at 0xffffffc00944d048\nMem abort info:\n ESR = 0x96000000\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x00: ttbr address size fault\nData abort info:\n ISV = 0, ISS = 0x00000000\n CM = 0, WnR = 0\nswapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000\n[ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13\nInternal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP\n...\nCall trace:\n pl011_stop_rx+0x70/0x80\n tty_port_shutdown+0x7c/0xb4\n tty_port_close+0x60/0xcc\n uart_close+0x34/0x8c\n tty_release+0x144/0x4c0\n __fput+0x78/0x220\n ____fput+0x1c/0x30\n task_work_run+0x88/0xc0\n do_notify_resume+0x8d0/0x123c\n el0_svc+0xa8/0xc0\n el0t_64_sync_handler+0xa4/0x130\n el0t_64_sync+0x1a0/0x1a4\nCode: b9000083 b901f001 794038a0 8b000042 (b9000041)\n---[ end trace 83dd93df15c3216f ]---\nnote: bootlogd[132] exited with preempt_count 1\n/etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon\n\nThis has been discussed in the Xen community, and we think it should fix\nthis in Linux. See [2] for more information.\n\n[1] https://developer.arm.com/documentation/den0094/c/?lang=en\n[2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html"}], "id": "CVE-2022-50625", "lastModified": "2025-12-08T02:15:48.510", "metrics": {}, "published": "2025-12-08T02:15:48.510", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1c5f0d3f480abd8c26761b6b1f486822e77faea3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/38a10fdd54d17590d45cb1c43b9889da383b6b1a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/64bc5dbc3260230e2f022288c71e5c680059384a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/78d837ce20517e0c1ff3ebe08ad64636e02c2e48"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/94cdb9f33698478b0e7062586633c42c6158a786"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/965f07ea5fd1b9591bcccc825a93ad883e56222c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a4ea20ab82aa2b197dc7b08f51e1d615578276a0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d5b16eb076f46c88d02d41ece5bec4e0d89158bb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d71a611fca1984c0765f9317ff471ac8cd0e3e2f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Projects

Metrics

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object