CVE-2022-49565

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/lbr: Fix unchecked MSR access error on HSW The fuzzer triggers the below trace. [ 7763.384369] unchecked MSR access error: WRMSR to 0x689 (tried to write 0x1fffffff8101349e) at rIP: 0xffffffff810704a4 (native_write_msr+0x4/0x20) [ 7763.397420] Call Trace: [ 7763.399881] <TASK> [ 7763.401994] intel_pmu_lbr_restore+0x9a/0x1f0 [ 7763.406363] intel_pmu_lbr_sched_task+0x91/0x1c0 [ 7763.410992] __perf_event_task_sched_in+0x1cd/0x240 On a machine with the LBR format LBR_FORMAT_EIP_FLAGS2, when the TSX is disabled, a TSX quirk is required to access LBR from registers. The lbr_from_signext_quirk_needed() is introduced to determine whether the TSX quirk should be applied. However, the lbr_from_signext_quirk_needed() is invoked before the intel_pmu_lbr_init(), which parses the LBR format information. Without the correct LBR format information, the TSX quirk never be applied. Move the lbr_from_signext_quirk_needed() into the intel_pmu_lbr_init(). Checking x86_pmu.lbr_has_tsx in the lbr_from_signext_quirk_needed() is not required anymore. Both LBR_FORMAT_EIP_FLAGS2 and LBR_FORMAT_INFO have LBR_TSX flag, but only the LBR_FORMAT_EIP_FLAGS2 requirs the quirk. Update the comments accordingly.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/625bcd0685a1612225df83468c83412fc0edb3d7	Patch
https://git.kernel.org/stable/c/b0380e13502adf7dd8be4c47d622c3522aae6c63	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.17:-::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc2::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc3::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc4::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc5::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc6::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc7::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc8::::::
	cpe:2.3:o:linux:linux_kernel:5.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:5.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:5.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:5.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:5.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:5.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:5.19:rc7::::::

History

22 Oct 2025, 19:10

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/625bcd0685a1612225df83468c83412fc0edb3d7 -~~	() https://git.kernel.org/stable/c/625bcd0685a1612225df83468c83412fc0edb3d7 - Patch
References	~~() https://git.kernel.org/stable/c/b0380e13502adf7dd8be4c47d622c3522aae6c63 -~~	() https://git.kernel.org/stable/c/b0380e13502adf7dd8be4c47d622c3522aae6c63 - Patch
CPE		cpe:2.3:o:linux:linux_kernel:5.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:5.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:5.17:rc2:::::: cpe:2.3:o:linux:linux_kernel:5.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:5.17:rc5:::::: cpe:2.3:o:linux:linux_kernel:5.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:5.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:5.17:rc4:::::: cpe:2.3:o:linux:linux_kernel:5.17:rc6:::::: cpe:2.3:o:linux:linux_kernel:5.17:rc7:::::: cpe:2.3:o:linux:linux_kernel:5.19:rc7:::::: cpe:2.3:o:linux:linux_kernel:5.17:-:::::: cpe:2.3:o:linux:linux_kernel:5.17:rc8:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:5.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:5.17:rc3::::::
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Linux Linux linux Kernel
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/x86/intel/lbr: Se corrige el error de acceso a MSR sin verificar en HSW. El fuzzer activa el siguiente seguimiento. [ 7763.384369] Error de acceso a MSR sin marcar: WRMSR a 0x689 (intentó escribir 0x1fffffff8101349e) en rIP: 0xffffffff810704a4 (native_write_msr+0x4/0x20) [ 7763.397420] Seguimiento de llamadas: [ 7763.399881] [ 7763.401994] intel_pmu_lbr_restore+0x9a/0x1f0 [ 7763.406363] intel_pmu_lbr_sched_task+0x91/0x1c0 [ 7763.410992] __perf_event_task_sched_in+0x1cd/0x240 Activado una máquina con el formato LBR LBR_FORMAT_EIP_FLAGS2, cuando el TSX está deshabilitado, se requiere una peculiaridad TSX para acceder al LBR desde los registros. Se introduce lbr_from_signext_quirk_needed() para determinar si se debe aplicar la peculiaridad TSX. Sin embargo, lbr_from_signext_quirk_needed() se invoca antes de intel_pmu_lbr_init(), que analiza la información del formato LBR. Sin la información correcta del formato LBR, la peculiaridad TSX nunca se aplicará. Mueva lbr_from_signext_quirk_needed() a intel_pmu_lbr_init(). Ya no es necesario comprobar x86_pmu.lbr_has_tsx en lbr_from_signext_quirk_needed(). Tanto LBR_FORMAT_EIP_FLAGS2 como LBR_FORMAT_INFO tienen el indicador LBR_TSX, pero solo LBR_FORMAT_EIP_FLAGS2 requiere esta característica. Actualice los comentarios en consecuencia.

26 Feb 2025, 07:01

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-26 07:01

Updated : 2025-10-22 19:10

NVD link : CVE-2022-49565

Mitre link : CVE-2022-49565

CVE.ORG link : CVE-2022-49565

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

5.5 /10