CVE-2022-49512 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: denali: Use managed device resources
All of the resources used by this driver has managed interfaces, so use them. Otherwise we will get the following splat:
[ 4.472703] denali-nand-pci 0000:00:05.0: timeout while waiting for irq 0x1000
[ 4.474071] denali-nand-pci: probe of 0000:00:05.0 failed with error -5
[ 4.473538] nand: No NAND device found
[ 4.474068] BUG: unable to handle page fault for address: ffffc90005000410
[ 4.475169] #PF: supervisor write access in kernel mode
[ 4.475579] #PF: error_code(0x0002) - not-present page
[ 4.478362] RIP: 0010:iowrite32+0x9/0x50
[ 4.486068] Call Trace:
[ 4.486269]
[ 4.486443] denali_isr+0x15b/0x300 [denali]
[ 4.486788] ? denali_direct_write+0x50/0x50 [denali]
[ 4.487189] __handle_irq_event_percpu+0x161/0x3b0
[ 4.487571] handle_irq_event+0x7d/0x1b0
[ 4.487884] handle_fasteoi_irq+0x2b0/0x770
[ 4.488219] __common_interrupt+0xc8/0x1b0
[ 4.488549] common_interrupt+0x9a/0xc0
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/21/2025
The vulnerability described in CVE-2022-49512 affects the Linux kernel's MTD (Memory Technology Device) subsystem, specifically within the denali NAND flash controller driver. This issue manifests as a resource management problem that leads to system instability and potential denial of service conditions. The denali driver is responsible for managing NAND flash memory devices connected via PCI interfaces, and the vulnerability stems from improper handling of device resources during driver initialization and operation. When the driver fails to properly manage its resources, it creates a cascade of failures that ultimately results in system crashes and device unavailability.
The technical flaw lies in the driver's failure to utilize managed device resources, which is a critical aspect of modern Linux kernel development practices. Managed resources automatically handle allocation and deallocation during driver lifecycle events, preventing memory leaks and resource conflicts. When the denali NAND controller driver does not employ these managed interfaces, it leaves resources in an inconsistent state, particularly during interrupt handling and device initialization phases. The error messages indicate a timeout condition during interrupt waiting, followed by a page fault error when attempting to write to memory address ffffc90005000410, which demonstrates the kernel's inability to properly manage memory access after resource mismanagement.
The operational impact of this vulnerability extends beyond simple device failure to encompass potential system crashes and complete denial of service. The reported page fault error code 0x0002 indicates a supervisor write access to a non-present page, suggesting that the driver attempted to access memory that was either freed or never allocated properly. This condition typically occurs when resource cleanup operations fail or when the driver attempts to access hardware registers after they have been released. The specific error at iowrite32 function indicates that the driver is trying to write to a hardware register that is no longer properly mapped or accessible, which can occur when resource management is not properly implemented. This vulnerability affects systems using denali NAND controllers, particularly those in embedded environments where NAND flash is commonly used for storage and boot operations.
Mitigation strategies for this vulnerability involve ensuring that all device resources are properly managed through the kernel's managed resource interfaces. The fix implemented in the kernel resolves this by making the driver use managed device resources, which automatically handle resource cleanup during driver unloading and error conditions. System administrators should ensure their kernels are updated to versions containing the fix, typically those incorporating the commit that addresses the resource management issue. The solution aligns with common weakness enumeration CWE-691, which addresses insufficient control of a resource through a long-lived control reference, and follows ATT&CK technique T1499.001 for endpoint denial of service through resource exhaustion. Organizations should also implement proper monitoring for interrupt timeout conditions and memory access violations in systems using affected drivers, as these symptoms can indicate resource management failures that may lead to more severe system instability.