CVE-2022-49320 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type
In zynqmp_dma_alloc/free_chan_resources functions there is a potential overflow in the below expressions.
dma_alloc_coherent(chan->dev, (2 * chan->desc_size * ZYNQMP_DMA_NUM_DESCS), &chan->desc_pool_p, GFP_KERNEL);
dma_free_coherent(chan->dev,(2 * ZYNQMP_DMA_DESC_SIZE(chan) * ZYNQMP_DMA_NUM_DESCS), chan->desc_pool_v, chan->desc_pool_p);
The arguments desc_size and ZYNQMP_DMA_NUM_DESCS were 32 bit. Though this overflow condition is not observed but it is a potential problem in the case of 32-bit multiplication. Hence fix it by changing the desc_size data type to size_t.
In addition to coverity fix it also reuse ZYNQMP_DMA_DESC_SIZE macro in dma_alloc_coherent API argument.
Addresses-Coverity: Event overflow_before_widen.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability CVE-2022-49320 affects the Linux kernel's zynqmp_dma driver, specifically targeting the dmaengine subsystem. This issue resides within the struct zynqmp_dma_chan data structure where the desc_size field was improperly defined as a 32-bit data type. The problem manifests in two critical functions: zynqmp_dma_alloc_chan_resources and zynqmp_dma_free_chan_resources, which handle memory allocation and deallocation for DMA descriptor pools. The root cause stems from potential integer overflow conditions that occur during arithmetic operations involving the desc_size and ZYNQMP_DMA_NUM_DESCS parameters, both of which were 32-bit values. When these values are multiplied together in the context of DMA descriptor pool allocation, the result could exceed the maximum value representable by a 32-bit signed integer, creating a scenario where the calculation wraps around and produces incorrect memory allocation sizes. This vulnerability aligns with CWE-191 Integer Underflow/Overflow, specifically the overflow_before_widen pattern identified by Coverity static analysis tools. The issue represents a potential security risk because incorrect memory allocation could lead to memory corruption, buffer overflows, or other undefined behavior that might be exploitable by malicious actors.
The technical flaw occurs in the memory management routines of the zynqmp_dma driver where the multiplication operation (2 chan->desc_size ZYNQMP_DMA_NUM_DESCS) is performed without proper type checking. When desc_size is a 32-bit integer and the multiplication results exceed 2^31-1, the overflow condition triggers, potentially causing the DMA subsystem to allocate insufficient or incorrect amounts of memory for descriptor pools. This can lead to memory corruption when the driver attempts to access memory beyond the allocated boundaries. The fix implemented involves changing the desc_size data type from 32-bit to size_t, which is a platform-dependent unsigned integer type typically 64-bit on modern systems, thereby eliminating the overflow possibility. Additionally, the implementation was updated to reuse the existing ZYNQMP_DMA_DESC_SIZE macro within the dma_alloc_coherent API call, improving code consistency and maintainability. The fix addresses the overflow_before_widen event pattern as identified by Coverity, which is categorized under the broader ATT&CK technique T1059.001 Command and Scripting Interpreter - PowerShell, though the actual attack vector would be through memory corruption exploitation rather than direct command execution.
The operational impact of this vulnerability extends beyond simple memory allocation issues to potentially compromise system stability and security. When the DMA subsystem fails due to incorrect memory allocation, it can cause system crashes, data corruption, or denial of service conditions that affect real-time processing capabilities. The zynqmp_dma driver is primarily used in Xilinx Zynq UltraScale+ MPSoC platforms, which are commonly found in embedded systems, automotive applications, and industrial control systems where reliability is critical. The vulnerability affects systems that utilize the DMA engine for high-speed data transfers between memory and peripheral devices, particularly in scenarios involving large descriptor pools or high-bandwidth operations. Attackers could potentially exploit this weakness to cause system instability or, in more sophisticated scenarios, to manipulate memory layouts for privilege escalation or code execution. The fix ensures that memory allocation calculations properly handle large values without overflow, maintaining the integrity of the DMA subsystem and preventing potential exploitation pathways. This vulnerability demonstrates the importance of proper data type selection in kernel space programming and highlights how seemingly minor type definition issues can lead to significant security implications in embedded systems and real-time operating environments.