CVE-2022-49214

MEDIUM

Linux Kernel 5.5-5.15.32, 5.16.0-5.16.18, 5.17.0-5.17.1 - NULL Pointer Dereference in Data SLB Access Handler

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Don't use DSISR for SLB faults Since commit 46ddcb3950a2 ("powerpc/mm: Show if a bad page fault on data is read or write.") we use page_fault_is_write(regs->dsisr) in __bad_page_fault() to determine if the fault is for a read or write, and change the message printed accordingly. But SLB faults, aka Data Segment Interrupts, don't set DSISR (Data Storage Interrupt Status Register) to a useful value. All ISA versions from v2.03 through v3.1 specify that the Data Segment Interrupt sets DSISR "to an undefined value". As far as I can see there's no mention of SLB faults setting DSISR in any BookIV content either. This manifests as accesses that should be a read being incorrectly reported as writes, for example, using the xmon "dump" command: 0:mon> d 0x5deadbeef0000000 5deadbeef0000000 [359526.415354][ C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000 [359526.415611][ C6] Faulting instruction address: 0xc00000000010a300 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400] pc: c00000000010a300: mread+0x90/0x190 If we disassemble the PC, we see a load instruction: 0:mon> di c00000000010a300 c00000000010a300 89490000 lbz r10,0(r9) We can also see in exceptions-64s.S that the data_access_slb block doesn't set IDSISR=1, which means it doesn't load DSISR into pt_regs. So the value we're using to determine if the fault is a read/write is some stale value in pt_regs from a previous page fault. Rework the printing logic to separate the SLB fault case out, and only print read/write in the cases where we can determine it. The result looks like eg: 0:mon> d 0x5deadbeef0000000 5deadbeef0000000 [ 721.779525][ C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000 [ 721.779697][ C6] Faulting instruction address: 0xc00000000014cbe0 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390] 0:mon> d 0 0000000000000000 [ 742.793242][ C6] BUG: Kernel NULL pointer dereference at 0x00000000 [ 742.793316][ C6] Faulting instruction address: 0xc00000000014cbe0 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]

References (4)

Core 4

Core References

Patch

https://git.kernel.org/stable/c/4a852ff9b7bea9c640540e2c1bc70bd3ba455d61

Patch

https://git.kernel.org/stable/c/a3dae36d632b2cf6eb20314273e512a96cb43c9a

Patch

https://git.kernel.org/stable/c/093449bb182db885dae816d62874cccab7a4c42a

Patch

https://git.kernel.org/stable/c/d4679ac8ea2e5078704aa1c026db36580cc1bf9a

Scores

CVSS v3 5.5

EPSS 0.0025

EPSS Percentile 15.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-476

Status published

Products (14)

linux/Kernel 5.16.0 - 5.16.19linux

linux/Kernel 5.17.0 - 5.17.2linux

linux/Kernel 5.5.0 - 5.15.33linux

Linux/Linux < 5.5

Linux/Linux 46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d - 093449bb182db885dae816d62874cccab7a4c42a

Linux/Linux 46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d - 4a852ff9b7bea9c640540e2c1bc70bd3ba455d61

Linux/Linux 46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d - a3dae36d632b2cf6eb20314273e512a96cb43c9a

Linux/Linux 46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d - d4679ac8ea2e5078704aa1c026db36580cc1bf9a

Linux/Linux 5.15.33 - 5.15.*

Linux/Linux 5.16.19 - 5.16.*

... and 4 more

Published Feb 26, 2025

Tracked Since Feb 18, 2026