CVE-2022-49440 in Linuxinfo

Summary

by MITRE • 02/26/2025

In the Linux kernel, the following vulnerability has been resolved:

powerpc/rtas: Keep MSR[RI] set when calling RTAS

RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big
endian mode (MSR[SF,LE] unset).

The change in MSR is done in enter_rtas() in a relatively complex way, since the MSR value could be hardcoded.

Furthermore, a panic has been reported when hitting the watchdog interrupt while running in RTAS, this leads to the following stack trace:

watchdog: CPU 24 Hard LOCKUP watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago) ... Supported: No, Unreleased kernel CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000 REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default) MSR: 8000000002981000 CR: 48800002 XER: 20040020 CFAR: 000000000000011c IRQMASK: 1 GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010 GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034 GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008 GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40 GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000 NIP [000000001fb41050] 0x1fb41050
LR [000000001fb4104c] 0x1fb4104c
Call Trace: Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX Oops: Unrecoverable System Reset, sig: 6 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries ... Supported: No, Unreleased kernel CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000 REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default) MSR: 8000000002981000 CR: 48800002 XER: 20040020 CFAR: 000000000000011c IRQMASK: 1 GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010 GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034 GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008 GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40 GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000 NIP [000000001fb41050] 0x1fb41050
LR [000000001fb4104c] 0x1fb4104c
Call Trace: Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX ---[ end trace 3ddec07f638c34a2 ]---

This happens because MSR[RI] is unset when entering RTAS but there is no
valid reason to not set it here.

RTAS is expected to be called with MSR[RI] as specified in PAPR+ section
"7.2.1 Machine State":

R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect
its own critical regions from recursion by setting the MSR[RI] bit to
0 when in the critical regions.

Fixing this by reviewing the way MSR is compute before calling RTAS. Now a hardcoded value meaning real ---truncated---

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 10/23/2025

The vulnerability CVE-2022-49440 addresses a critical issue within the Linux kernel's powerpc architecture implementation, specifically concerning the RTAS (Real Time Access Service) functionality. This flaw manifests when the kernel transitions into RTAS execution context, where the Machine State Register (MSR) configuration does not properly maintain the RI (Recovery Interrupt) bit, leading to potential system instability and unexpected behavior. The RTAS operates in a specific real mode environment with MSR[DR] and MSR[IR] unset, and in 32-bit big endian mode with MSR[SF,LE] unset, requiring precise MSR handling during transitions.

The technical root cause stems from the complex MSR manipulation logic within the enter_rtas() function, which historically used a hardcoded MSR value approach. This approach failed to properly preserve the MSR[RI] bit when entering RTAS contexts, creating a mismatch with the PAPR+ (Power Architecture Platform Requirements) specification requirements. When the watchdog interrupt occurred during RTAS execution, it triggered a system panic due to the improper MSR state, as evidenced by the stack trace showing the kernel attempting to handle an unrecoverable system reset. The panic occurred because the system was not maintaining the expected MSR[RI] state during RTAS execution, violating the platform requirements outlined in section 7.2.1 of the PAPR+ specification.

The operational impact of this vulnerability extends beyond simple system instability, as it can lead to complete system lockups and forced reboots during critical operations. The vulnerability particularly affects systems running on powerpc architecture where RTAS is actively utilized for hardware management and system monitoring tasks. The issue becomes more pronounced when watchdog interrupts are triggered during RTAS execution, as the kernel's inability to maintain proper MSR state causes cascading failures that can compromise system reliability. According to CWE-119, this represents a memory access error that can lead to system crashes, while the ATT&CK framework would classify this under T1499.004 - Endpoint Denial of Service, as it can cause system-wide service interruption through kernel-level instability.

The fix implemented addresses the MSR computation logic before calling RTAS by ensuring that the MSR[RI] bit is properly maintained during RTAS execution. This solution aligns with the PAPR+ specification requirement that RTAS must protect its own critical regions from recursion by setting the MSR[RI] bit to 0 when in critical regions, while ensuring that the bit remains properly set during entry. The resolution involves modifying the enter_rtas() function to correctly preserve the MSR[RI] bit, preventing the system from entering an inconsistent state when RTAS is invoked. This change ensures that the kernel maintains proper interrupt handling behavior during RTAS operations, preventing the watchdog-induced panics and system lockups that were previously observed. The fix represents a fundamental correction to the powerpc kernel's MSR management during RTAS transitions, restoring compliance with platform specifications and maintaining system stability during critical hardware operations.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

Linux

Reservation

02/26/2025

Disclosure

02/26/2025

Moderation

accepted

CPE

ready

EPSS

0.00240

KEV

no

Activities

very low

Sector

Police, Government, ...

Sources

MITREhttps://www.cve.org/CVERecord?id=CVE-2022-49440
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2022-49440
CVE Detailshttps://www.cvedetails.com/cve/CVE-2022-49440/

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!