Tice Rex

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.4.163 **Description** A vulnerability in the Linux kernel has been resolved, which was caused by an out-of-bounds (OOB) write in the sata dwc 460ex driver. The issue occurred because the driver used libata's "tag" values from various arrays, and the value of SATA DWC QCMD MAX did not account for the increased ATA TAG INTERNAL value. This caused a crash due to a NULL pointer dereference. The vulnerability was reported by Tice Rex on the OpenWrt Forum and reproduced with symbols. The crash occurred when the dma dwc xfer setup() function passed a NULL'd hsdevp->chan to the dmaengine slave config() function. **Recommendations** For Linux kernel version 5.4.163 and earlier, update to a newer version that includes the patch for this issue. As a temporary workaround, consider disabling the sata dwc 460ex driver until a patch is available. Restrict access to the vulnerable sata dwc qc issue() function to minimize the risk of exploitation. Avoid using the `dma pending` variable in the affected API endpoint until the issue is resolved.