CVE-2022-49164: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/tm: Fix more userspace r13 corruption Commit cf13435b730a ("powerpc/tm: Fix userspace r13 corruption") fixes a problem in treclaim where a SLB miss can occur on the thread_struct->ckpt_regs while SCRATCH0 is live with the saved user r13 value, clobbering it with the kernel r13 and ultimately resulting in kernel r13 being stored in ckpt_regs. There is an equivalent problem in trechkpt where the user r13 value is loaded into r13 from chkpt_regs to be recheckpointed, but a SLB miss could occur on ckpt_regs accesses after that, which will result in r13 being clobbered with a kernel value and that will get recheckpointed and then restored to user registers. The same memory page is accessed right before this critical window where a SLB miss could cause corruption, so hitting the bug requires the SLB entry be removed within a small window of instructions, which is possible if a SLB related MCE hits there. PAPR also permits the hypervisor to discard this SLB entry (because slb_shadow->persistent is only set to SLB_NUM_BOLTED) although it's not known whether any implementations would do this (KVM does not). So this is an extremely unlikely bug, only found by inspection. Fix this by also storing user r13 in a temporary location on the kernel stack and don't change the r13 register from kernel r13 until the RI=0 critical section that does not fault. The SCRATCH0 change is not strictly part of the fix, it's only used in the RI=0 section so it does not have the same problem as the previous SCRATCH0 bug.
AI Analysis
Technical Summary
CVE-2022-49164 is a vulnerability identified in the Linux kernel specifically affecting the PowerPC architecture's transactional memory (TM) implementation. The flaw involves corruption of the userspace r13 register during certain kernel operations related to checkpointing and reclaiming transactional memory state. The issue arises due to a subtle race condition involving the Segment Lookaside Buffer (SLB), a hardware cache used for virtual memory address translation on PowerPC processors. During the execution of the treclaim and trechkpt functions, which manage transactional memory checkpointing, an SLB miss can occur at a critical moment when the userspace r13 register value is being saved or restored. This miss causes the kernel r13 register value to overwrite the userspace r13 value in the checkpoint registers (ckpt_regs or chkpt_regs). Consequently, the corrupted r13 value may be recheckpointed and later restored to userspace, leading to register corruption. The vulnerability is extremely unlikely to be triggered in practice because it requires a very narrow timing window where the SLB entry is removed or invalidated, potentially due to a Machine Check Exception (MCE) or hypervisor intervention. The Power Architecture Platform Reference (PAPR) specification allows hypervisors to discard SLB entries, but common hypervisors like KVM do not do this, further reducing exploitability. The fix implemented involves storing the userspace r13 value temporarily on the kernel stack and deferring any modification of the r13 register to a critical section where faults cannot occur, thereby preventing the race condition and register corruption. This patch ensures that the userspace register state remains consistent and uncorrupted during transactional memory checkpointing. No known exploits exist in the wild for this vulnerability, and it was discovered through code inspection rather than active exploitation. The vulnerability affects specific Linux kernel versions containing the affected commit hash, primarily on PowerPC platforms utilizing transactional memory features.
Potential Impact
For European organizations, the direct impact of CVE-2022-49164 is limited due to its specificity to the PowerPC architecture and transactional memory features, which are less common in mainstream enterprise Linux deployments that predominantly run on x86_64 or ARM architectures. However, organizations operating specialized hardware or embedded systems using PowerPC processors, such as telecommunications infrastructure, industrial control systems, or legacy systems in sectors like manufacturing and defense, could be affected. The corruption of the userspace r13 register could lead to unpredictable application behavior, data corruption, or system instability, potentially impacting the integrity and availability of critical services. Although exploitation is highly unlikely, the vulnerability represents a risk to system reliability and correctness in affected environments. European organizations relying on PowerPC-based Linux systems should consider the potential for subtle transactional memory state corruption that could complicate debugging and system maintenance. Given the lack of known exploits and the complexity of triggering the bug, the immediate threat level is low, but the vulnerability should be addressed to maintain system integrity and prevent future risks.
Mitigation Recommendations
To mitigate CVE-2022-49164, European organizations should: 1) Apply the official Linux kernel patches that fix the transactional memory r13 register corruption issue as soon as they become available for their specific kernel versions. 2) For systems running PowerPC-based Linux kernels with transactional memory enabled, conduct thorough testing of updated kernels in staging environments to ensure stability and correctness. 3) Monitor kernel updates and security advisories from Linux distributions and vendors for backported fixes related to this vulnerability. 4) If patching is not immediately feasible, consider disabling transactional memory features on affected PowerPC systems to avoid the vulnerable code paths, understanding that this may impact performance or functionality. 5) Implement robust system monitoring and logging to detect unusual system behavior or crashes that might indicate register corruption or transactional memory issues. 6) Coordinate with hardware and hypervisor vendors to understand any platform-specific mitigations or configurations that reduce the likelihood of SLB entry invalidation during critical kernel operations. These steps go beyond generic advice by focusing on architecture-specific controls and operational practices tailored to the unique nature of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2022-49164: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/tm: Fix more userspace r13 corruption Commit cf13435b730a ("powerpc/tm: Fix userspace r13 corruption") fixes a problem in treclaim where a SLB miss can occur on the thread_struct->ckpt_regs while SCRATCH0 is live with the saved user r13 value, clobbering it with the kernel r13 and ultimately resulting in kernel r13 being stored in ckpt_regs. There is an equivalent problem in trechkpt where the user r13 value is loaded into r13 from chkpt_regs to be recheckpointed, but a SLB miss could occur on ckpt_regs accesses after that, which will result in r13 being clobbered with a kernel value and that will get recheckpointed and then restored to user registers. The same memory page is accessed right before this critical window where a SLB miss could cause corruption, so hitting the bug requires the SLB entry be removed within a small window of instructions, which is possible if a SLB related MCE hits there. PAPR also permits the hypervisor to discard this SLB entry (because slb_shadow->persistent is only set to SLB_NUM_BOLTED) although it's not known whether any implementations would do this (KVM does not). So this is an extremely unlikely bug, only found by inspection. Fix this by also storing user r13 in a temporary location on the kernel stack and don't change the r13 register from kernel r13 until the RI=0 critical section that does not fault. The SCRATCH0 change is not strictly part of the fix, it's only used in the RI=0 section so it does not have the same problem as the previous SCRATCH0 bug.
AI-Powered Analysis
Technical Analysis
CVE-2022-49164 is a vulnerability identified in the Linux kernel specifically affecting the PowerPC architecture's transactional memory (TM) implementation. The flaw involves corruption of the userspace r13 register during certain kernel operations related to checkpointing and reclaiming transactional memory state. The issue arises due to a subtle race condition involving the Segment Lookaside Buffer (SLB), a hardware cache used for virtual memory address translation on PowerPC processors. During the execution of the treclaim and trechkpt functions, which manage transactional memory checkpointing, an SLB miss can occur at a critical moment when the userspace r13 register value is being saved or restored. This miss causes the kernel r13 register value to overwrite the userspace r13 value in the checkpoint registers (ckpt_regs or chkpt_regs). Consequently, the corrupted r13 value may be recheckpointed and later restored to userspace, leading to register corruption. The vulnerability is extremely unlikely to be triggered in practice because it requires a very narrow timing window where the SLB entry is removed or invalidated, potentially due to a Machine Check Exception (MCE) or hypervisor intervention. The Power Architecture Platform Reference (PAPR) specification allows hypervisors to discard SLB entries, but common hypervisors like KVM do not do this, further reducing exploitability. The fix implemented involves storing the userspace r13 value temporarily on the kernel stack and deferring any modification of the r13 register to a critical section where faults cannot occur, thereby preventing the race condition and register corruption. This patch ensures that the userspace register state remains consistent and uncorrupted during transactional memory checkpointing. No known exploits exist in the wild for this vulnerability, and it was discovered through code inspection rather than active exploitation. The vulnerability affects specific Linux kernel versions containing the affected commit hash, primarily on PowerPC platforms utilizing transactional memory features.
Potential Impact
For European organizations, the direct impact of CVE-2022-49164 is limited due to its specificity to the PowerPC architecture and transactional memory features, which are less common in mainstream enterprise Linux deployments that predominantly run on x86_64 or ARM architectures. However, organizations operating specialized hardware or embedded systems using PowerPC processors, such as telecommunications infrastructure, industrial control systems, or legacy systems in sectors like manufacturing and defense, could be affected. The corruption of the userspace r13 register could lead to unpredictable application behavior, data corruption, or system instability, potentially impacting the integrity and availability of critical services. Although exploitation is highly unlikely, the vulnerability represents a risk to system reliability and correctness in affected environments. European organizations relying on PowerPC-based Linux systems should consider the potential for subtle transactional memory state corruption that could complicate debugging and system maintenance. Given the lack of known exploits and the complexity of triggering the bug, the immediate threat level is low, but the vulnerability should be addressed to maintain system integrity and prevent future risks.
Mitigation Recommendations
To mitigate CVE-2022-49164, European organizations should: 1) Apply the official Linux kernel patches that fix the transactional memory r13 register corruption issue as soon as they become available for their specific kernel versions. 2) For systems running PowerPC-based Linux kernels with transactional memory enabled, conduct thorough testing of updated kernels in staging environments to ensure stability and correctness. 3) Monitor kernel updates and security advisories from Linux distributions and vendors for backported fixes related to this vulnerability. 4) If patching is not immediately feasible, consider disabling transactional memory features on affected PowerPC systems to avoid the vulnerable code paths, understanding that this may impact performance or functionality. 5) Implement robust system monitoring and logging to detect unusual system behavior or crashes that might indicate register corruption or transactional memory issues. 6) Coordinate with hardware and hypervisor vendors to understand any platform-specific mitigations or configurations that reduce the likelihood of SLB entry invalidation during critical kernel operations. These steps go beyond generic advice by focusing on architecture-specific controls and operational practices tailored to the unique nature of this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.277Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe5105
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 3:41:08 AM
Last updated: 7/31/2025, 1:03:55 AM
Views: 11
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.