CVE-2022-49440 (GCVE-0-2022-49440)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/rtas: Keep MSR[RI] set when calling RTAS
RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big
endian mode (MSR[SF,LE] unset).
The change in MSR is done in enter_rtas() in a relatively complex way,
since the MSR value could be hardcoded.
Furthermore, a panic has been reported when hitting the watchdog interrupt
while running in RTAS, this leads to the following stack trace:
watchdog: CPU 24 Hard LOCKUP
watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)
...
Supported: No, Unreleased kernel
CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)
MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020
CFAR: 000000000000011c IRQMASK: 1
GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
NIP [000000001fb41050] 0x1fb41050
LR [000000001fb4104c] 0x1fb4104c
Call Trace:
Instruction dump:
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
Oops: Unrecoverable System Reset, sig: 6 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
...
Supported: No, Unreleased kernel
CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)
MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020
CFAR: 000000000000011c IRQMASK: 1
GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
NIP [000000001fb41050] 0x1fb41050
LR [000000001fb4104c] 0x1fb4104c
Call Trace:
Instruction dump:
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
---[ end trace 3ddec07f638c34a2 ]---
This happens because MSR[RI] is unset when entering RTAS but there is no
valid reason to not set it here.
RTAS is expected to be called with MSR[RI] as specified in PAPR+ section
"7.2.1 Machine State":
R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect
its own critical regions from recursion by setting the MSR[RI] bit to
0 when in the critical regions.
Fixing this by reviewing the way MSR is compute before calling RTAS. Now a
hardcoded value meaning real
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/entry_64.S",
"arch/powerpc/kernel/rtas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ca40fcf0da0ce2b5bc44e7d8b036535955f2e3d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5f4367448f6817c8a0e94dc9736ed84fa8eee4a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9c41f0273826a13ac93124e66a4ff45df281ba0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b6b1c3ce06ca438eb24e0f45bf0e63ecad0369f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/entry_64.S",
"arch/powerpc/kernel/rtas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: Keep MSR[RI] set when calling RTAS\n\nRTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big\nendian mode (MSR[SF,LE] unset).\n\nThe change in MSR is done in enter_rtas() in a relatively complex way,\nsince the MSR value could be hardcoded.\n\nFurthermore, a panic has been reported when hitting the watchdog interrupt\nwhile running in RTAS, this leads to the following stack trace:\n\n watchdog: CPU 24 Hard LOCKUP\n watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)\n ...\n Supported: No, Unreleased kernel\n CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c\n NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000\n REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)\n MSR: 8000000002981000 \u003cSF,VEC,VSX,ME\u003e CR: 48800002 XER: 20040020\n CFAR: 000000000000011c IRQMASK: 1\n GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc\n GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010\n GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000\n GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034\n GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008\n GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f\n GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40\n GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000\n NIP [000000001fb41050] 0x1fb41050\n LR [000000001fb4104c] 0x1fb4104c\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n Oops: Unrecoverable System Reset, sig: 6 [#1]\n LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n ...\n Supported: No, Unreleased kernel\n CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c\n NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000\n REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)\n MSR: 8000000002981000 \u003cSF,VEC,VSX,ME\u003e CR: 48800002 XER: 20040020\n CFAR: 000000000000011c IRQMASK: 1\n GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc\n GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010\n GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000\n GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034\n GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008\n GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f\n GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40\n GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000\n NIP [000000001fb41050] 0x1fb41050\n LR [000000001fb4104c] 0x1fb4104c\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 3ddec07f638c34a2 ]---\n\nThis happens because MSR[RI] is unset when entering RTAS but there is no\nvalid reason to not set it here.\n\nRTAS is expected to be called with MSR[RI] as specified in PAPR+ section\n\"7.2.1 Machine State\":\n\n R1\u20137.2.1\u20139. If called with MSR[RI] equal to 1, then RTAS must protect\n its own critical regions from recursion by setting the MSR[RI] bit to\n 0 when in the critical regions.\n\nFixing this by reviewing the way MSR is compute before calling RTAS. Now a\nhardcoded value meaning real \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:42.677Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ca40fcf0da0ce2b5bc44e7d8b036535955f2e3d"
},
{
"url": "https://git.kernel.org/stable/c/5f4367448f6817c8a0e94dc9736ed84fa8eee4a3"
},
{
"url": "https://git.kernel.org/stable/c/c9c41f0273826a13ac93124e66a4ff45df281ba0"
},
{
"url": "https://git.kernel.org/stable/c/b6b1c3ce06ca438eb24e0f45bf0e63ecad0369f5"
}
],
"title": "powerpc/rtas: Keep MSR[RI] set when calling RTAS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49440",
"datePublished": "2025-02-26T02:12:53.988Z",
"dateReserved": "2025-02-26T02:08:31.570Z",
"dateUpdated": "2025-05-04T08:37:42.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}