CVE-2026-53170

Summary

In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: reject DMA commands with uninitialized length

cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. The only setter is NPU_SET_DMA0_LEN; if userspace omits this command and issues NPU_OP_DMA_START, dma->len remains U64_MAX.

In dma_length(), a positive stride added to U64_MAX wraps to a small value. With size0 == 1, check_mul_overflow() does not trigger and dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check then passes, region_size[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses.

Fix by checking for U64_MAX at the start of dma_length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b < fb25c76a820ca8a547aa478bfb503da0a11494abaffected
LinuxLinux5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b < d9d021218162b6c4fe0bdf42b2b340f1aae23a12affected
LinuxLinux6.19affected
LinuxLinux0 < 6.19unaffected
LinuxLinux7.0.13 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References