CVE-2022-49353 is a vulnerability identified in the Linux kernel specifically affecting the powerpc architecture's papr_scm driver, which manages certain NVDIMM (Non-Volatile Dual In-line Memory Module) devices on POWER-10 logical partitions (LPARs). The issue arises when the papr_scm_probe function calls drc_pmem_query_stats() with a zero-sized stats buffer, which is not supported by the vPMEM NVDIMM devices. This occurs because the papr_scm_pmu_check_events() function lacks an initial check for the 'stat_buffer_len' parameter, which indicates whether performance statistics are supported by the device. Without this check, the kernel attempts to fetch performance statistics from devices that do not support them, leading to a NULL pointer dereference and subsequent kernel panic. The panic manifests as a fatal exception with a kernel crash, specifically a write to a NULL pointer at address 0x0000001c, causing an unrecoverable system failure. The vulnerability is triggered only when the 'Enable Performance Information Collection' option is disabled in the Hardware Management Console (HMC) for the LPAR, which is a configuration setting in IBM POWER systems. The root cause is a missing validation in the kernel driver code, and the fix involves adding a check for 'p->stat_buffer_len' at the start of papr_scm_pmu_check_events() to prevent calls to drc_pmem_query_stats() when the buffer length is zero. This vulnerability is specific to Linux kernels running on IBM POWER10 hardware with vPMEM NVDIMM devices and does not appear to have known exploits in the wild as of the publication date. No CVSS score has been assigned yet.

For European organizations utilizing IBM POWER10 servers running Linux with vPMEM NVDIMM devices, this vulnerability can cause unexpected kernel panics leading to system crashes and downtime. Such outages can disrupt critical business operations, especially in environments relying on high availability and continuous uptime, such as financial institutions, telecommunications, and data centers. The kernel panic results in loss of availability and may require manual intervention to recover systems, impacting service delivery and potentially causing data loss if unsaved data is present. Since the vulnerability is triggered by a specific configuration (disabling performance information collection), organizations that disable this feature for performance or security reasons are at risk. Although the vulnerability does not appear to allow privilege escalation or direct data compromise, the denial of service impact can be significant in production environments. The lack of known exploits reduces immediate risk, but the vulnerability's presence in kernel code means that attackers with local access or the ability to influence kernel module loading could potentially trigger the panic, making it a reliability and availability concern.

European organizations should ensure that their Linux kernel versions on POWER10 systems are updated to include the patch that adds the missing 'stat_buffer_len' check in papr_scm_pmu_check_events(). This involves applying the latest kernel updates from trusted Linux distributions or directly from the Linux kernel source if using custom kernels. Additionally, organizations should audit their HMC configurations to verify whether the 'Enable Performance Information Collection' option is disabled on any LPARs using vPMEM NVDIMM devices. If disabling this option is not necessary, it should be enabled to avoid triggering the vulnerability. For environments where disabling performance information collection is required, extra caution and monitoring should be implemented to detect kernel panics promptly. Implementing robust kernel crash recovery mechanisms and maintaining regular backups will help mitigate the impact of unexpected reboots. Finally, organizations should monitor Linux kernel mailing lists and vendor advisories for any updates or exploit reports related to this vulnerability.