CVE-2022-49164

{"id": "CVE-2022-49164", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:00:53.563", "references": [{"url": "https://git.kernel.org/stable/c/5dce84f475d13b773a1a4c823581cab25044d86a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/73d8082c90f17dfba57cad4ca94db5cae323f1b1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9d71165d3934e607070c4e48458c0cf161b1baea", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/tm: Fix more userspace r13 corruption\n\nCommit cf13435b730a (\"powerpc/tm: Fix userspace r13 corruption\") fixes a\nproblem in treclaim where a SLB miss can occur on the\nthread_struct->ckpt_regs while SCRATCH0 is live with the saved user r13\nvalue, clobbering it with the kernel r13 and ultimately resulting in\nkernel r13 being stored in ckpt_regs.\n\nThere is an equivalent problem in trechkpt where the user r13 value is\nloaded into r13 from chkpt_regs to be recheckpointed, but a SLB miss\ncould occur on ckpt_regs accesses after that, which will result in r13\nbeing clobbered with a kernel value and that will get recheckpointed and\nthen restored to user registers.\n\nThe same memory page is accessed right before this critical window where\na SLB miss could cause corruption, so hitting the bug requires the SLB\nentry be removed within a small window of instructions, which is\npossible if a SLB related MCE hits there. PAPR also permits the\nhypervisor to discard this SLB entry (because slb_shadow->persistent is\nonly set to SLB_NUM_BOLTED) although it's not known whether any\nimplementations would do this (KVM does not). So this is an extremely\nunlikely bug, only found by inspection.\n\nFix this by also storing user r13 in a temporary location on the kernel\nstack and don't change the r13 register from kernel r13 until the RI=0\ncritical section that does not fault.\n\nThe SCRATCH0 change is not strictly part of the fix, it's only used in\nthe RI=0 section so it does not have the same problem as the previous\nSCRATCH0 bug."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/tm: Fix more userspace r13 democracy Commit cf13435b730a (\"powerpc/tm: Fix userspace r13 democracy\") corrige un problema en treclaim donde puede ocurrir un error de SLB en thread_struct->ckpt_regs mientras SCRATCH0 est\u00e1 activo con el valor r13 del usuario guardado, golpe\u00e1ndolo con el r13 del kernel y, en \u00faltima instancia, resultando en que el r13 del kernel se almacene en ckpt_regs. Hay un problema equivalente en trechkpt donde el valor r13 del usuario se carga en r13 desde chkpt_regs para volver a establecer un punto de control, pero podr\u00eda ocurrir un error de SLB en los accesos a ckpt_regs despu\u00e9s de eso, lo que resultar\u00e1 en que r13 se golpee con un valor del kernel y que se vuelva a establecer un punto de control y luego se restaure a los registros del usuario. Se accede a la misma p\u00e1gina de memoria justo antes de esta ventana cr\u00edtica donde un error de SLB podr\u00eda causar corrupci\u00f3n, por lo que encontrar el error requiere que la entrada de SLB se elimine dentro de una peque\u00f1a ventana de instrucciones, lo que es posible si un MCE relacionado con SLB llega all\u00ed. PAPR tambi\u00e9n permite que el hipervisor descarte esta entrada de SLB (porque slb_shadow->persistent solo est\u00e1 configurado en SLB_NUM_BOLTED) aunque no se sabe si alguna implementaci\u00f3n har\u00eda esto (KVM no lo hace). Por lo tanto, este es un error extremadamente improbable, que solo se encuentra por inspecci\u00f3n. Arregle esto almacenando tambi\u00e9n el usuario r13 en una ubicaci\u00f3n temporal en la pila del kernel y no cambie el registro r13 del kernel r13 hasta la secci\u00f3n cr\u00edtica RI=0 que no falla. El cambio SCRATCH0 no es estrictamente parte de la soluci\u00f3n, solo se usa en la secci\u00f3n RI=0, por lo que no tiene el mismo problema que el error SCRATCH0 anterior."}], "lastModified": "2025-09-23T14:20:06.713", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBB3BFBD-9A56-4019-88A5-F75155E1CAB3", "versionEndExcluding": "5.15.54", "versionStartIncluding": "3.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "375454EC-B553-4CC9-BF9D-4A8ADC4F34BD", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.16"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}