CVE-2022-50870 in Linux
Summary
by MITRE • 12/30/2025
In the Linux kernel, the following vulnerability has been resolved:
powerpc/rtas: avoid device tree lookups in rtas_os_term()
rtas_os_term() is called during panic. Its behavior depends on a couple of conditions in the /rtas node of the device tree, the traversal of which entails locking and local IRQ state changes. If the kernel panics while devtree_lock is held, rtas_os_term() as currently written could hang.
Instead of discovering the relevant characteristics at panic time, cache them in file-static variables at boot. Note the lookup for "ibm,extended-os-term" is converted to of_property_read_bool() since it is a boolean property, not an RTAS function token.
[mpe: Incorporate suggested change from Nick]
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/26/2026
The vulnerability identified as CVE-2022-50870 resides within the Linux kernel's powerpc architecture implementation, specifically affecting the rtas_os_term() function that handles RTAS (Real-Time Abstract Services) operations during system panic conditions. This issue demonstrates a critical flaw in kernel panic handling that could lead to system hangs or lockups when the kernel attempts to terminate RTAS operations while already holding device tree locks. The vulnerability manifests when the kernel panics while the devtree_lock is actively held, creating a deadlock scenario where rtas_os_term() cannot safely access device tree information without risking system instability. The root cause stems from the function's design to perform device tree lookups during panic handling, which requires acquiring locks and manipulating interrupt states that may already be in use by the panic handling machinery.
The technical implementation flaw involves rtas_os_term() performing runtime device tree traversals during kernel panic scenarios, which creates a dangerous dependency on system resources that may already be compromised or locked. The function's reliance on device tree node lookups for determining RTAS characteristics introduces a race condition and deadlock potential when the panic occurs while devtree_lock is held. The vulnerability specifically affects the handling of the "ibm,extended-os-term" boolean property, which should be converted from a token-based lookup to a simpler boolean property read operation using of_property_read_bool() for improved reliability. This design pattern creates a circular dependency where the panic handling code attempts to acquire resources that are already locked, potentially leading to complete system lockup or unrecoverable state.
The operational impact of this vulnerability extends beyond simple system instability to potentially render affected systems completely unresponsive during critical failure scenarios. When a kernel panic occurs on powerpc systems, the normal recovery mechanisms may fail entirely, preventing proper system state capture and debugging information collection. This issue particularly affects enterprise and embedded systems running Linux on powerpc architectures that rely on RTAS for hardware abstraction and system management functions. The vulnerability creates a scenario where system administrators cannot rely on standard panic handling procedures to gather diagnostic information or perform graceful system shutdown operations, potentially leading to data loss or extended downtime during failure recovery.
Mitigation strategies for CVE-2022-50870 focus on pre-computing device tree characteristics during system boot rather than performing runtime lookups during panic conditions. This approach aligns with the principle of avoiding resource contention during critical system states and follows established security practices for kernel panic handling. The recommended solution involves caching relevant RTAS characteristics in file-static variables at boot time, eliminating the need for device tree traversal during panic scenarios. This technique reduces the attack surface and prevents the deadlock conditions that could occur when trying to access locked resources. The fix also incorporates proper handling of boolean device tree properties through of_property_read_bool() which provides more reliable and efficient property access compared to token-based lookups. This vulnerability demonstrates the importance of avoiding complex resource acquisition during system failure states and aligns with ATT&CK technique T1490 for system destruction and ATT&CK technique T1531 for implantation of persistence mechanisms, as it affects system stability and recovery capabilities. The mitigation approach also addresses CWE-362, which covers race conditions, and CWE-367, which addresses time-of-check to time-of-use vulnerabilities, by ensuring consistent and predictable resource access patterns during system operation.