CVE-2022-49851 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
riscv: fix reserved memory setup
Currently, RISC-V sets up reserved memory using the "early" copy of the device tree. As a result, when trying to get a reserved memory region using of_reserved_mem_lookup(), the pointer to reserved memory regions is using the early, pre-virtual-memory address which causes a kernel panic when trying to use the buffer's name:
Unable to handle kernel paging request at virtual address 00000000401c31ac Oops [#1]
Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1 Hardware name: Microchip PolarFire-SoC Icicle Kit (DT) epc : string+0x4a/0xea ra : vsnprintf+0x1e4/0x336 epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0 gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000 t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20 s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000 a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008 s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00 s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002 s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617 t5 : ffffffff812f3618 t6 : ffffffff81203d08 status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d [<ffffffff80338936>] vsnprintf+0x1e4/0x336
[<ffffffff80055ae2>] vprintk_store+0xf6/0x344
[<ffffffff80055d86>] vprintk_emit+0x56/0x192
[<ffffffff80055ed8>] vprintk_default+0x16/0x1e
[<ffffffff800563d2>] vprintk+0x72/0x80
[<ffffffff806813b2>] _printk+0x36/0x50
[<ffffffff8068af48>] print_reserved_mem+0x1c/0x24
[<ffffffff808057ec>] paging_init+0x528/0x5bc
[<ffffffff808031ae>] setup_arch+0xd0/0x592
[<ffffffff8080070e>] start_kernel+0x82/0x73c
early_init_fdt_scan_reserved_mem() takes no arguments as it operates on initial_boot_params, which is populated by early_init_dt_verify(). On RISC-V, early_init_dt_verify() is called twice. Once, directly, in setup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly, very early in the boot process, by parse_dtb() when it calls early_init_dt_scan_nodes().
This first call uses dtb_early_va to set initial_boot_params, which is not usable later in the boot process when early_init_fdt_scan_reserved_mem() is called. On arm64 for example, the corresponding call to early_init_dt_scan_nodes() uses fixmap addresses and doesn't suffer the same fate.
Move early_init_fdt_scan_reserved_mem() further along the boot sequence, after the direct call to early_init_dt_verify() in setup_arch() so that the names use the correct virtual memory addresses. The above supposed that CONFIG_BUILTIN_DTB was not set, but should work equally in the case where it is - unflatted_and_copy_device_tree() also updates initial_boot_params.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/11/2025
The vulnerability described in CVE-2022-49851 affects the Linux kernel's implementation of reserved memory setup on RISC-V architectures. This issue stems from a fundamental mismatch in memory addressing between early boot phases and later kernel initialization stages. The problem manifests when the kernel attempts to access reserved memory region names through the of_reserved_mem_lookup() function, which relies on pointers that were established during the early boot process using pre-virtual-memory addresses. This discrepancy leads to kernel panics when the system tries to dereference virtual addresses that do not correspond to valid memory mappings, as evidenced by the page fault at virtual address 0x401c31ac during kernel boot operations.
The technical root cause lies in the RISC-V kernel's handling of device tree parsing during early boot initialization. Specifically, the early_init_fdt_scan_reserved_mem() function operates on initial_boot_params that are populated by early_init_dt_verify(), but this function is called twice in the RISC-V boot sequence. The first invocation occurs directly in setup_arch() when CONFIG_BUILTIN_DTB is not enabled, using dtb_early_va to set initial_boot_params. However, this early memory mapping becomes invalid later in the boot process when the same function is called again, causing reserved memory region pointers to reference incorrect virtual addresses. This behavior contrasts with arm64 implementations where early_init_dt_scan_nodes() uses fixmap addresses that remain valid throughout the boot process, making the RISC-V implementation fundamentally flawed in its memory management approach.
The operational impact of this vulnerability is severe as it can cause complete system crashes during kernel boot, preventing proper system initialization and rendering affected devices non-functional. The kernel panic occurs when the print_reserved_mem function attempts to access reserved memory region names using virtual addresses that were valid only during early boot but are now invalid. This vulnerability affects systems using RISC-V architecture with Linux kernels that implement the problematic device tree handling, particularly those utilizing device tree blobs that require proper reserved memory setup. The issue is particularly critical for embedded systems and hardware platforms that rely heavily on reserved memory regions for device drivers and system resources, as the kernel cannot properly initialize these resources during boot.
Mitigation strategies for CVE-2022-49851 involve updating to kernel versions that contain the specific fix implemented by moving early_init_fdt_scan_reserved_mem() further along the boot sequence, ensuring it executes after the direct call to early_init_dt_verify() in setup_arch(). This adjustment ensures that reserved memory region names reference correct virtual memory addresses throughout the boot process. System administrators should prioritize applying kernel updates that address this specific memory management issue, particularly on RISC-V platforms where device tree parsing and reserved memory setup are critical for proper system operation. Additionally, organizations should conduct thorough testing of updated kernels to ensure that no regressions occur in device tree handling or memory management functionality, as this fix modifies fundamental boot-time memory allocation behavior that affects multiple kernel subsystems. The vulnerability aligns with CWE-125: Out-of-bounds Read and ATT&CK technique T1486: Data Encrypted for Impact, as it can prevent system boot and potentially affect system availability through kernel crashes.