CVE-2022-50647 (GCVE-0-2022-50647)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
Title
RISC-V: Make port I/O string accessors actually work
Summary
In the Linux kernel, the following vulnerability has been resolved: RISC-V: Make port I/O string accessors actually work Fix port I/O string accessors such as `insb', `outsb', etc. which use the physical PCI port I/O address rather than the corresponding memory mapping to get at the requested location, which in turn breaks at least accesses made by our parport driver to a PCIe parallel port such as: PCI parallel port detected: 1415:c118, I/O at 0x1000(0x1008), IRQ 20 parport0: PC-style at 0x1000 (0x1008), irq 20, using FIFO [PCSPP,TRISTATE,COMPAT,EPP,ECP] causing a memory access fault: Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000001008 Oops [#1] Modules linked in: CPU: 1 PID: 350 Comm: cat Not tainted 6.0.0-rc2-00283-g10d4879f9ef0-dirty #23 Hardware name: SiFive HiFive Unmatched A00 (DT) epc : parport_pc_fifo_write_block_pio+0x266/0x416 ra : parport_pc_fifo_write_block_pio+0xb4/0x416 epc : ffffffff80542c3e ra : ffffffff80542a8c sp : ffffffd88899fc60 gp : ffffffff80fa2700 tp : ffffffd882b1e900 t0 : ffffffd883d0b000 t1 : ffffffffff000002 t2 : 4646393043330a38 s0 : ffffffd88899fcf0 s1 : 0000000000001000 a0 : 0000000000000010 a1 : 0000000000000000 a2 : ffffffd883d0a010 a3 : 0000000000000023 a4 : 00000000ffff8fbb a5 : ffffffd883d0a001 a6 : 0000000100000000 a7 : ffffffc800000000 s2 : ffffffffff000002 s3 : ffffffff80d28880 s4 : ffffffff80fa1f50 s5 : 0000000000001008 s6 : 0000000000000008 s7 : ffffffd883d0a000 s8 : 0004000000000000 s9 : ffffffff80dc1d80 s10: ffffffd8807e4000 s11: 0000000000000000 t3 : 00000000000000ff t4 : 393044410a303930 t5 : 0000000000001000 t6 : 0000000000040000 status: 0000000200000120 badaddr: 0000000000001008 cause: 000000000000000f [<ffffffff80543212>] parport_pc_compat_write_block_pio+0xfe/0x200 [<ffffffff8053bbc0>] parport_write+0x46/0xf8 [<ffffffff8050530e>] lp_write+0x158/0x2d2 [<ffffffff80185716>] vfs_write+0x8e/0x2c2 [<ffffffff80185a74>] ksys_write+0x52/0xc2 [<ffffffff80185af2>] sys_write+0xe/0x16 [<ffffffff80003770>] ret_from_syscall+0x0/0x2 ---[ end trace 0000000000000000 ]--- For simplicity address the problem by adding PCI_IOBASE to the physical address requested in the respective wrapper macros only, observing that the raw accessors such as `__insb', `__outsb', etc. are not supposed to be used other than by said macros. Remove the cast to `long' that is no longer needed on `addr' now that it is used as an offset from PCI_IOBASE and add parentheses around `addr' needed for predictable evaluation in macro expansion. No need to make said adjustments in separate changes given that current code is gravely broken and does not ever work.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < 2c60db6869fe5213471fcf4fe5704dc29da8b5ee (git)
Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < 2ce9fab94b8db61f014e43ddf80dd1524ae6dff4 (git)
Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < dc235db7b79a352d07d62e8757ad856dbf1564c1 (git)
Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < 140b2b92dbefffa7f4f7211a1fd399a6e79e71c4 (git)
Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < 1acee4616930fc07265cb8e539753a8062daa8e0 (git)
Affected: fab957c11efe2f405e08b9f0d080524bc2631428 , < 9cc205e3c17d5716da7ebb7fa0c985555e95d009 (git)
Create a notification for this product.
    Linux Linux Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/io.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2c60db6869fe5213471fcf4fe5704dc29da8b5ee",
              "status": "affected",
              "version": "fab957c11efe2f405e08b9f0d080524bc2631428",
              "versionType": "git"
            },
            {
              "lessThan": "2ce9fab94b8db61f014e43ddf80dd1524ae6dff4",
              "status": "affected",
              "version": "fab957c11efe2f405e08b9f0d080524bc2631428",
              "versionType": "git"
            },
            {
              "lessThan": "dc235db7b79a352d07d62e8757ad856dbf1564c1",
              "status": "affected",
              "version": "fab957c11efe2f405e08b9f0d080524bc2631428",
              "versionType": "git"
            },
            {
              "lessThan": "140b2b92dbefffa7f4f7211a1fd399a6e79e71c4",
              "status": "affected",
              "version": "fab957c11efe2f405e08b9f0d080524bc2631428",
              "versionType": "git"
            },
            {
              "lessThan": "1acee4616930fc07265cb8e539753a8062daa8e0",
              "status": "affected",
              "version": "fab957c11efe2f405e08b9f0d080524bc2631428",
              "versionType": "git"
            },
            {
              "lessThan": "9cc205e3c17d5716da7ebb7fa0c985555e95d009",
              "status": "affected",
              "version": "fab957c11efe2f405e08b9f0d080524bc2631428",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/io.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: Make port I/O string accessors actually work\n\nFix port I/O string accessors such as `insb\u0027, `outsb\u0027, etc. which use\nthe physical PCI port I/O address rather than the corresponding memory\nmapping to get at the requested location, which in turn breaks at least\naccesses made by our parport driver to a PCIe parallel port such as:\n\nPCI parallel port detected: 1415:c118, I/O at 0x1000(0x1008), IRQ 20\nparport0: PC-style at 0x1000 (0x1008), irq 20, using FIFO [PCSPP,TRISTATE,COMPAT,EPP,ECP]\n\ncausing a memory access fault:\n\nUnable to handle kernel access to user memory without uaccess routines at virtual address 0000000000001008\nOops [#1]\nModules linked in:\nCPU: 1 PID: 350 Comm: cat Not tainted 6.0.0-rc2-00283-g10d4879f9ef0-dirty #23\nHardware name: SiFive HiFive Unmatched A00 (DT)\nepc : parport_pc_fifo_write_block_pio+0x266/0x416\n ra : parport_pc_fifo_write_block_pio+0xb4/0x416\nepc : ffffffff80542c3e ra : ffffffff80542a8c sp : ffffffd88899fc60\n gp : ffffffff80fa2700 tp : ffffffd882b1e900 t0 : ffffffd883d0b000\n t1 : ffffffffff000002 t2 : 4646393043330a38 s0 : ffffffd88899fcf0\n s1 : 0000000000001000 a0 : 0000000000000010 a1 : 0000000000000000\n a2 : ffffffd883d0a010 a3 : 0000000000000023 a4 : 00000000ffff8fbb\n a5 : ffffffd883d0a001 a6 : 0000000100000000 a7 : ffffffc800000000\n s2 : ffffffffff000002 s3 : ffffffff80d28880 s4 : ffffffff80fa1f50\n s5 : 0000000000001008 s6 : 0000000000000008 s7 : ffffffd883d0a000\n s8 : 0004000000000000 s9 : ffffffff80dc1d80 s10: ffffffd8807e4000\n s11: 0000000000000000 t3 : 00000000000000ff t4 : 393044410a303930\n t5 : 0000000000001000 t6 : 0000000000040000\nstatus: 0000000200000120 badaddr: 0000000000001008 cause: 000000000000000f\n[\u003cffffffff80543212\u003e] parport_pc_compat_write_block_pio+0xfe/0x200\n[\u003cffffffff8053bbc0\u003e] parport_write+0x46/0xf8\n[\u003cffffffff8050530e\u003e] lp_write+0x158/0x2d2\n[\u003cffffffff80185716\u003e] vfs_write+0x8e/0x2c2\n[\u003cffffffff80185a74\u003e] ksys_write+0x52/0xc2\n[\u003cffffffff80185af2\u003e] sys_write+0xe/0x16\n[\u003cffffffff80003770\u003e] ret_from_syscall+0x0/0x2\n---[ end trace 0000000000000000 ]---\n\nFor simplicity address the problem by adding PCI_IOBASE to the physical\naddress requested in the respective wrapper macros only, observing that\nthe raw accessors such as `__insb\u0027, `__outsb\u0027, etc. are not supposed to\nbe used other than by said macros.  Remove the cast to `long\u0027 that is no\nlonger needed on `addr\u0027 now that it is used as an offset from PCI_IOBASE\nand add parentheses around `addr\u0027 needed for predictable evaluation in\nmacro expansion.  No need to make said adjustments in separate changes\ngiven that current code is gravely broken and does not ever work."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T00:00:21.501Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2c60db6869fe5213471fcf4fe5704dc29da8b5ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ce9fab94b8db61f014e43ddf80dd1524ae6dff4"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc235db7b79a352d07d62e8757ad856dbf1564c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/140b2b92dbefffa7f4f7211a1fd399a6e79e71c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/1acee4616930fc07265cb8e539753a8062daa8e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cc205e3c17d5716da7ebb7fa0c985555e95d009"
        }
      ],
      "title": "RISC-V: Make port I/O string accessors actually work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50647",
    "datePublished": "2025-12-09T00:00:21.501Z",
    "dateReserved": "2025-12-08T23:57:43.371Z",
    "dateUpdated": "2025-12-09T00:00:21.501Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50647\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-09T01:16:47.360\",\"lastModified\":\"2025-12-09T18:37:13.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRISC-V: Make port I/O string accessors actually work\\n\\nFix port I/O string accessors such as `insb\u0027, `outsb\u0027, etc. which use\\nthe physical PCI port I/O address rather than the corresponding memory\\nmapping to get at the requested location, which in turn breaks at least\\naccesses made by our parport driver to a PCIe parallel port such as:\\n\\nPCI parallel port detected: 1415:c118, I/O at 0x1000(0x1008), IRQ 20\\nparport0: PC-style at 0x1000 (0x1008), irq 20, using FIFO [PCSPP,TRISTATE,COMPAT,EPP,ECP]\\n\\ncausing a memory access fault:\\n\\nUnable to handle kernel access to user memory without uaccess routines at virtual address 0000000000001008\\nOops [#1]\\nModules linked in:\\nCPU: 1 PID: 350 Comm: cat Not tainted 6.0.0-rc2-00283-g10d4879f9ef0-dirty #23\\nHardware name: SiFive HiFive Unmatched A00 (DT)\\nepc : parport_pc_fifo_write_block_pio+0x266/0x416\\n ra : parport_pc_fifo_write_block_pio+0xb4/0x416\\nepc : ffffffff80542c3e ra : ffffffff80542a8c sp : ffffffd88899fc60\\n gp : ffffffff80fa2700 tp : ffffffd882b1e900 t0 : ffffffd883d0b000\\n t1 : ffffffffff000002 t2 : 4646393043330a38 s0 : ffffffd88899fcf0\\n s1 : 0000000000001000 a0 : 0000000000000010 a1 : 0000000000000000\\n a2 : ffffffd883d0a010 a3 : 0000000000000023 a4 : 00000000ffff8fbb\\n a5 : ffffffd883d0a001 a6 : 0000000100000000 a7 : ffffffc800000000\\n s2 : ffffffffff000002 s3 : ffffffff80d28880 s4 : ffffffff80fa1f50\\n s5 : 0000000000001008 s6 : 0000000000000008 s7 : ffffffd883d0a000\\n s8 : 0004000000000000 s9 : ffffffff80dc1d80 s10: ffffffd8807e4000\\n s11: 0000000000000000 t3 : 00000000000000ff t4 : 393044410a303930\\n t5 : 0000000000001000 t6 : 0000000000040000\\nstatus: 0000000200000120 badaddr: 0000000000001008 cause: 000000000000000f\\n[\u003cffffffff80543212\u003e] parport_pc_compat_write_block_pio+0xfe/0x200\\n[\u003cffffffff8053bbc0\u003e] parport_write+0x46/0xf8\\n[\u003cffffffff8050530e\u003e] lp_write+0x158/0x2d2\\n[\u003cffffffff80185716\u003e] vfs_write+0x8e/0x2c2\\n[\u003cffffffff80185a74\u003e] ksys_write+0x52/0xc2\\n[\u003cffffffff80185af2\u003e] sys_write+0xe/0x16\\n[\u003cffffffff80003770\u003e] ret_from_syscall+0x0/0x2\\n---[ end trace 0000000000000000 ]---\\n\\nFor simplicity address the problem by adding PCI_IOBASE to the physical\\naddress requested in the respective wrapper macros only, observing that\\nthe raw accessors such as `__insb\u0027, `__outsb\u0027, etc. are not supposed to\\nbe used other than by said macros.  Remove the cast to `long\u0027 that is no\\nlonger needed on `addr\u0027 now that it is used as an offset from PCI_IOBASE\\nand add parentheses around `addr\u0027 needed for predictable evaluation in\\nmacro expansion.  No need to make said adjustments in separate changes\\ngiven that current code is gravely broken and does not ever work.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/140b2b92dbefffa7f4f7211a1fd399a6e79e71c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1acee4616930fc07265cb8e539753a8062daa8e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2c60db6869fe5213471fcf4fe5704dc29da8b5ee\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2ce9fab94b8db61f014e43ddf80dd1524ae6dff4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9cc205e3c17d5716da7ebb7fa0c985555e95d009\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dc235db7b79a352d07d62e8757ad856dbf1564c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.