CVE-2022-49955
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-18

Last updated on: 2025-11-14

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Fix RTAS MSR[HV] handling for Cell The semi-recent changes to MSR handling when entering RTAS (firmware) cause crashes on IBM Cell machines. An example trace: kernel tried to execute user page (2fff01a8) - exploit attempt? (uid: 0) BUG: Unable to handle kernel instruction fetch Faulting instruction address: 0x2fff01a8 Oops: Kernel access of bad area, sig: 11 [#1] BE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=4 NUMA Cell Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.0.0-rc2-00433-gede0a8d3307a #207 NIP: 000000002fff01a8 LR: 0000000000032608 CTR: 0000000000000000 REGS: c0000000015236b0 TRAP: 0400 Tainted: G W (6.0.0-rc2-00433-gede0a8d3307a) MSR: 0000000008001002 <ME,RI> CR: 00000000 XER: 20000000 ... NIP 0x2fff01a8 LR 0x32608 Call Trace: 0xc00000000143c5f8 (unreliable) .rtas_call+0x224/0x320 .rtas_get_boot_time+0x70/0x150 .read_persistent_clock64+0x114/0x140 .read_persistent_wall_and_boot_offset+0x24/0x80 .timekeeping_init+0x40/0x29c .start_kernel+0x674/0x8f0 start_here_common+0x1c/0x50 Unlike PAPR platforms where RTAS is only used in guests, on the IBM Cell machines Linux runs with MSR[HV] set but also uses RTAS, provided by SLOF. Fix it by copying the MSR[HV] bit from the MSR value we've just read using mfmsr into the value used for RTAS. It seems like we could also fix it using an #ifdef CELL to set MSR[HV], but that doesn't work because it's possible to build a single kernel image that runs on both Cell native and pseries.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-18
Last Modified
2025-11-14
Generated
2026-05-07
AI Q&A
2025-06-18
EPSS Evaluated
2026-05-05
NVD
CVE-2022-49955
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.0
linux linux_kernel 6.0
linux linux_kernel 6.0
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves improper handling of the Machine State Register (MSR) Hypervisor bit (MSR[HV]) when entering the Run-Time Abstraction Services (RTAS) firmware on IBM Cell machines running Linux. Due to recent changes in MSR handling, the kernel crashes because it tries to execute invalid instructions, leading to a kernel oops and potential system instability. The issue arises because Linux runs with MSR[HV] set and uses RTAS provided by SLOF, but the MSR[HV] bit was not correctly copied into the RTAS context, causing faults. The fix involves copying the MSR[HV] bit from the current MSR value into the RTAS MSR value to prevent these crashes.


How can this vulnerability impact me? :

This vulnerability can cause kernel crashes on IBM Cell machines running Linux, leading to system instability and potential denial of service. The kernel may attempt to execute invalid instructions, resulting in a crash (kernel oops) that disrupts normal operation. This can affect system reliability and availability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as kernel crashes on IBM Cell machines with error messages indicating kernel instruction fetch faults and bad area access, as shown in the example trace. Detection involves monitoring system logs (e.g., dmesg or /var/log/kern.log) for such kernel oops or crash messages referencing RTAS and MSR handling errors. Specific commands to check logs include: 'dmesg | grep -i rtas' or 'journalctl -k | grep -i rtas'.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by updating the Linux kernel to a version that includes the patch correcting RTAS MSR[HV] handling for IBM Cell machines. Immediate mitigation involves applying the kernel update that contains this fix. There are no other specific mitigation steps mentioned.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart