CVE-2022-49353

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-49353
In the Linux kernel, the following vulnerability has been resolved: powerpc/papr_scm: don't requests stats with '0' sized stats buffer Sachin reported [1] that on a POWER-10 lpar he is seeing a kernel panic being reported with vPMEM when papr_scm probe is being called. The panic is of the form below and is observed only with following option disabled(profile) for the said LPAR 'Enable Performance Information Collection' in the HMC: Kernel attempted to write user page (1c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on write at 0x0000001c Faulting instruction address: 0xc008000001b90844 Oops: Kernel access of bad area, sig: 11 [#1] <snip> NIP [c008000001b90844] drc_pmem_query_stats+0x5c/0x270 [papr_scm] LR [c008000001b92794] papr_scm_probe+0x2ac/0x6ec [papr_scm] Call Trace: 0xc00000000941bca0 (unreliable) papr_scm_probe+0x2ac/0x6ec [papr_scm] platform_probe+0x98/0x150 really_probe+0xfc/0x510 __driver_probe_device+0x17c/0x230 <snip> ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception On investigation looks like this panic was caused due to a 'stat_buffer' of size==0 being provided to drc_pmem_query_stats() to fetch all performance stats-ids of an NVDIMM. However drc_pmem_query_stats() shouldn't have been called since the vPMEM NVDIMM doesn't support and performance stat-id's. This was caused due to missing check for 'p->stat_buffer_len' at the beginning of papr_scm_pmu_check_events() which indicates that the NVDIMM doesn't support performance-stats. Fix this by introducing the check for 'p->stat_buffer_len' at the beginning of papr_scm_pmu_check_events(). [1] https://lore.kernel.org/all/6B3A522A-6A5F-4CC9-B268-0C63AA6E07D3@linux.ibm.com

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/07bf9431b1590d1cd7a8d62075d0b50b073f0495 Patch
https://git.kernel.org/stable/c/e1295aab2ebcda1c1a9ed342baedc080e5c393e5 Patch
Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:5.18.3:*:*:*:*:*:*:*
History

14 Apr 2025, 19:45

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/07bf9431b1590d1cd7a8d62075d0b50b073f0495 - () https://git.kernel.org/stable/c/07bf9431b1590d1cd7a8d62075d0b50b073f0495 - Patch
References () https://git.kernel.org/stable/c/e1295aab2ebcda1c1a9ed342baedc080e5c393e5 - () https://git.kernel.org/stable/c/e1295aab2ebcda1c1a9ed342baedc080e5c393e5 - Patch
CPE cpe:2.3:o:linux:linux_kernel:5.18.3:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/papr_scm: no solicita estadísticas con un búfer de estadísticas de tamaño '0' Sachin informó [1] que en un LPAR POWER-10 está viendo un pánico del kernel que se informa con vPMEM cuando se llama a la sonda papr_scm. El pánico tiene el formato siguiente y se observa solo con la siguiente opción deshabilitada (perfil) para dicho LPAR 'Habilitar recopilación de información de rendimiento' en la HMC: El kernel intentó escribir la página del usuario (1c): ¿intento de explotación? (uid: 0) ERROR: Desreferencia de puntero NULL del kernel al escribir en 0x0000001c Dirección de instrucción con error: 0xc008000001b90844 Oops: Acceso del kernel al área defectuosa, sig: 11 [#1] NIP [c008000001b90844] drc_pmem_query_stats+0x5c/0x270 [papr_scm] LR [c008000001b92794] papr_scm_probe+0x2ac/0x6ec [papr_scm] Seguimiento de llamadas: 0xc00000000941bca0 (no confiable) papr_scm_probe+0x2ac/0x6ec [papr_scm] platform_probe+0x98/0x150 really_probe+0xfc/0x510 __driver_probe_device+0x17c/0x230 ---[ fin del seguimiento 0000000000000000 ]--- Pánico del kernel: no se sincroniza: excepción fatal En la investigación, parece que este pánico se produjo debido a que se proporcionó un 'stat_buffer' de tamaño==0 a drc_pmem_query_stats() para obtener todos los identificadores de estadísticas de rendimiento de un NVDIMM. Sin embargo, no se debería haber llamado a drc_pmem_query_stats() ya que el NVDIMM vPMEM no admite ningún identificador de estadísticas de rendimiento. Esto se produjo debido a la falta de verificación de 'p-&gt;stat_buffer_len' al comienzo de papr_scm_pmu_check_events(), lo que indica que el NVDIMM no admite estadísticas de rendimiento. Solucione este problema introduciendo la comprobación de 'p-&gt;stat_buffer_len' al comienzo de papr_scm_pmu_check_events(). [1] https://lore.kernel.org/all/6B3A522A-6A5F-4CC9-B268-0C63AA6E07D3@linux.ibm.com
CWE CWE-476
First Time Linux linux Kernel
Linux

26 Feb 2025, 07:01

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-26 07:01

Updated : 2025-04-14 19:45

NVD link : CVE-2022-49353

Mitre link : CVE-2022-49353

CVE.ORG link : CVE-2022-49353

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-476

NULL Pointer Dereference