{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: dmaengine: qcom-adm: fix wrong sizeof config in slave_config",
    "id" : "2402204",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402204"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1025",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndmaengine: qcom-adm: fix wrong sizeof config in slave_config\nFix broken slave_config function that uncorrectly compare the\nperipheral_size with the size of the config pointer instead of the size\nof the config struct. This cause the crci value to be ignored and cause\na kernel panic on any slave that use adm driver.\nTo fix this, compare to the size of the struct and NOT the size of the\npointer.", "A logic error was found in the Linux kernel Qualcomm ADM DMA engine driver's slave configuration handling. A local user with privileges to configure DMA operations can trigger DMA slave setup on Qualcomm ADM hardware, causing the driver to use an incorrect size comparison (pointer size instead of struct size) that results in ignoring critical DMA configuration values, which leads to kernel panic and denial of service." ],
  "statement" : "The issue arises because of an incorrect sizeof operator usage in the slave configuration validation code. The function compares peripheral_size against sizeof(config) where config is a pointer, rather than sizeof(*config) to get the actual structure size. On 64-bit systems, this evaluates to 8 bytes (pointer size) instead of the actual configuration structure size. The comparison always fails, causing the code path that sets the crci (connection request control information) value to be skipped. The crci value is essential for proper DMA channel operation on Qualcomm ADM hardware. When DMA operations proceed with an uninitialized or invalid crci value, the hardware configuration is incorrect and triggers a kernel panic. This occurs reliably on any system using the ADM DMA driver when slave devices attempt to configure their DMA channels—a normal operation during device initialization or data transfer setup. The impact is strictly availability; the kernel crashes before any data transfer occurs, preventing any information disclosure or integrity compromise.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50540\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50540\nhttps://lore.kernel.org/linux-cve-announce/2025100755-CVE-2022-50540-46a8@gregkh/T" ],
  "name" : "CVE-2022-50540",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the qcom_adm module from loading. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.",
    "lang" : "en:us"
  },
  "csaw" : false
}