CVE-2022-49569 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers
In case a IRQ based transfer times out the bcm2835_spi_handle_err() function is called. Since commit 1513ceee70f2 ("spi: bcm2835: Drop dma_pending flag") the TX and RX DMA transfers are unconditionally canceled, leading to NULL pointer derefs if ctlr->dma_tx or ctlr->dma_rx are not set.
Fix the NULL pointer deref by checking that ctlr->dma_tx and ctlr->dma_rx are valid pointers before accessing them.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/26/2025
The vulnerability CVE-2022-49569 represents a critical null pointer dereference flaw in the Linux kernel's bcm2835 SPI driver implementation. This issue specifically affects the bcm2835_spi_handle_err() function which is responsible for handling error conditions during SPI transfer operations on Broadcom BCM2835 SoC devices commonly found in Raspberry Pi systems. The flaw arises from improper handling of interrupt-driven SPI transfers that exceed their timeout thresholds, creating a scenario where the driver attempts to access DMA controller pointers that may not have been properly initialized or allocated.
The technical root cause stems from changes introduced in commit 1513ceee70f2 which eliminated the dma_pending flag and implemented unconditional cancellation of both transmit and receive DMA transfers. This modification created a race condition where the bcm2835_spi_handle_err() function attempts to dereference ctlr->dma_tx and ctlr->dma_rx pointers without proper validation. When SPI transfers timeout and trigger error handling, the function assumes these DMA pointers are valid, but in non-DMA transfer scenarios or when DMA initialization fails, these pointers remain NULL, leading to immediate system crashes or kernel oops conditions. This vulnerability directly maps to CWE-476 which identifies null pointer dereference as a common software weakness that can result in denial of service or system instability.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise the stability of embedded systems and single-board computers running Linux. Devices utilizing BCM2835 SPI controllers for critical peripheral communications such as SD card readers, display interfaces, or sensor data acquisition may experience unexpected system failures when interrupt-driven SPI transfers timeout. This issue is particularly concerning in embedded environments where system reliability is paramount, as it can lead to complete system hangs or forced reboots during normal SPI operation. The vulnerability affects systems using the bcm2835 SPI driver specifically on Raspberry Pi and similar ARM-based platforms, making it relevant to a wide range of IoT and embedded applications.
Mitigation strategies for CVE-2022-49569 involve applying the kernel patch that introduces proper validation checks before accessing DMA controller pointers. The fix implements conditional validation of ctlr->dma_tx and ctlr->dma_rx pointers prior to dereferencing them, ensuring that the driver only attempts to cancel DMA transfers when these pointers are actually valid. System administrators should prioritize updating their kernel versions to include this patch, particularly in production environments where SPI-based peripherals are critical to system operation. Additionally, monitoring systems should be implemented to detect potential kernel oops or system crash events that may indicate exploitation attempts. Organizations deploying Raspberry Pi or BCM2835-based systems should conduct thorough testing of updated kernel versions to ensure compatibility with existing SPI peripheral configurations. This vulnerability demonstrates the importance of proper pointer validation in kernel drivers and aligns with ATT&CK technique T1068 which describes privilege escalation through kernel vulnerabilities, though this specific flaw primarily results in denial of service rather than privilege escalation.