Linux Kernel up to 5.18.3 papr_scm drc_pmem_query_stats null pointer dereference

Summaryinfo

A vulnerability classified as critical was found in Linux Kernel up to 5.18.3. Impacted is the function drc_pmem_query_stats of the component papr_scm. Executing a manipulation can lead to null pointer dereference. The identification of this vulnerability is CVE-2022-49353. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability classified as critical was found in Linux Kernel up to 5.18.3. This vulnerability affects the function drc_pmem_query_stats of the component papr_scm. The manipulation with an unknown input leads to a null pointer dereference vulnerability. The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. As an impact it is known to affect availability. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: powerpc/papr_scm: don't requests stats with '0' sized stats buffer Sachin reported [1] that on a POWER-10 lpar he is seeing a kernel panic being reported with vPMEM when papr_scm probe is being called. The panic is of the form below and is observed only with following option disabled(profile) for the said LPAR 'Enable Performance Information Collection' in the HMC: Kernel attempted to write user page (1c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on write at 0x0000001c Faulting instruction address: 0xc008000001b90844 Oops: Kernel access of bad area, sig: 11 [#1] NIP [c008000001b90844] drc_pmem_query_stats+0x5c/0x270 [papr_scm] LR [c008000001b92794] papr_scm_probe+0x2ac/0x6ec [papr_scm] Call Trace: 0xc00000000941bca0 (unreliable) papr_scm_probe+0x2ac/0x6ec [papr_scm] platform_probe+0x98/0x150 really_probe+0xfc/0x510 __driver_probe_device+0x17c/0x230 ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception On investigation looks like this panic was caused due to a 'stat_buffer' of size==0 being provided to drc_pmem_query_stats() to fetch all performance stats-ids of an NVDIMM. However drc_pmem_query_stats() shouldn't have been called since the vPMEM NVDIMM doesn't support and performance stat-id's. This was caused due to missing check for 'p->stat_buffer_len' at the beginning of papr_scm_pmu_check_events() which indicates that the NVDIMM doesn't support performance-stats. Fix this by introducing the check for 'p->stat_buffer_len' at the beginning of papr_scm_pmu_check_events(). [1] https://lore.kernel.org/all/[email protected]

The advisory is shared for download at git.kernel.org. This vulnerability was named CVE-2022-49353 since 02/26/2025. The exploitation appears to be difficult. There are known technical details, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 274839 (RHEL 9 : kernel (RHSA-2025:20518)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 5.18.4 eliminates this vulnerability. Applying the patch e1295aab2ebcda1c1a9ed342baedc080e5c393e5/07bf9431b1590d1cd7a8d62075d0b50b073f0495 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (274839). Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 5.18.0
• 5.18.1
• 5.18.2
• 5.18.3

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion