CVE-2022-49440

EUVD-2022-54789
In the Linux kernel, the following vulnerability has been resolved:

powerpc/rtas: Keep MSR[RI] set when calling RTAS

RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big
endian mode (MSR[SF,LE] unset).

The change in MSR is done in enter_rtas() in a relatively complex way,
since the MSR value could be hardcoded.

Furthermore, a panic has been reported when hitting the watchdog interrupt
while running in RTAS, this leads to the following stack trace:

  watchdog: CPU 24 Hard LOCKUP
  watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)
  ...
  Supported: No, Unreleased kernel
  CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G            E  X    5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
  NIP:  000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
  REGS: c00000000fc33d60 TRAP: 0100   Tainted: G            E  X     (5.14.21-150400.71.1.bz196362_2-default)
  MSR:  8000000002981000 <SF,VEC,VSX,ME>  CR: 48800002  XER: 20040020
  CFAR: 000000000000011c IRQMASK: 1
  GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
  GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
  GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
  GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
  GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
  GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
  GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
  GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
  NIP [000000001fb41050] 0x1fb41050
  LR [000000001fb4104c] 0x1fb4104c
  Call Trace:
  Instruction dump:
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  Oops: Unrecoverable System Reset, sig: 6 [#1]
  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
  ...
  Supported: No, Unreleased kernel
  CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G            E  X    5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
  NIP:  000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
  REGS: c00000000fc33d60 TRAP: 0100   Tainted: G            E  X     (5.14.21-150400.71.1.bz196362_2-default)
  MSR:  8000000002981000 <SF,VEC,VSX,ME>  CR: 48800002  XER: 20040020
  CFAR: 000000000000011c IRQMASK: 1
  GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
  GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
  GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
  GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
  GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
  GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
  GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
  GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
  NIP [000000001fb41050] 0x1fb41050
  LR [000000001fb4104c] 0x1fb4104c
  Call Trace:
  Instruction dump:
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  ---[ end trace 3ddec07f638c34a2 ]---

This happens because MSR[RI] is unset when entering RTAS but there is no
valid reason to not set it here.

RTAS is expected to be called with MSR[RI] as specified in PAPR+ section
"7.2.1 Machine State":

  R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect
  its own critical regions from recursion by setting the MSR[RI] bit to
  0 when in the critical regions.

Fixing this by reviewing the way MSR is compute before calling RTAS. Now a
hardcoded value meaning real 
---truncated---
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
𝑥
< 5.15.46
linuxlinux_kernel
5.16 ≤
𝑥
< 5.17.14
linuxlinux_kernel
5.18 ≤
𝑥
< 5.18.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.123-1
fixed
bookworm (security)
6.1.128-1
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
sid
6.12.16-1
fixed
trixie
6.12.12-1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
dlm-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
gfs2-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-64kb
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-default
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-default-base
suse enterprise server 15 SP4
5.14.21-150400.24.158.1.150400.24.78.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1.150500.6.47.1
fixed
kernel-docs
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-macros
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-obs-build
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-source
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-syms
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-zfcpdump
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
ocfs2-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
reiserfs-kmp-default
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
bpftool
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-abi-stablelists
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-core
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-debug
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-debug-core
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-debug-devel
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-debug-devel-matched
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-debug-modules
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-debug-modules-extra
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-devel
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-devel-matched
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-doc
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-modules
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-modules-extra
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-tools
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-tools-libs
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-tools-libs-devel
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-zfcpdump
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-zfcpdump-core
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-zfcpdump-devel
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-zfcpdump-devel-matched
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-zfcpdump-modules
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
kernel-zfcpdump-modules-extra
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
perf
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
python3-perf
RHEL 9
0:5.14.0-162.6.1.el9_1
fixed
References
https://git.kernel.org/stable/c/5ca40fcf0da0ce2b5bc44e7d8b036535955f2e3d
https://git.kernel.org/stable/c/5f4367448f6817c8a0e94dc9736ed84fa8eee4a3
https://git.kernel.org/stable/c/b6b1c3ce06ca438eb24e0f45bf0e63ecad0369f5
https://git.kernel.org/stable/c/c9c41f0273826a13ac93124e66a4ff45df281ba0