CVE-2022-49440: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Keep MSR[RI] set when calling RTAS RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big endian mode (MSR[SF,LE] unset). The change in MSR is done in enter_rtas() in a relatively complex way, since the MSR value could be hardcoded. Furthermore, a panic has been reported when hitting the watchdog interrupt while running in RTAS, this leads to the following stack trace: watchdog: CPU 24 Hard LOCKUP watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago) ... Supported: No, Unreleased kernel CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000 REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default) MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020 CFAR: 000000000000011c IRQMASK: 1 GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010 GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034 GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008 GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40 GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000 NIP [000000001fb41050] 0x1fb41050 LR [000000001fb4104c] 0x1fb4104c Call Trace: Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX Oops: Unrecoverable System Reset, sig: 6 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries ... Supported: No, Unreleased kernel CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000 REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default) MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020 CFAR: 000000000000011c IRQMASK: 1 GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010 GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034 GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008 GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40 GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000 NIP [000000001fb41050] 0x1fb41050 LR [000000001fb4104c] 0x1fb4104c Call Trace: Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX ---[ end trace 3ddec07f638c34a2 ]--- This happens because MSR[RI] is unset when entering RTAS but there is no valid reason to not set it here. RTAS is expected to be called with MSR[RI] as specified in PAPR+ section "7.2.1 Machine State": R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect its own critical regions from recursion by setting the MSR[RI] bit to 0 when in the critical regions. Fixing this by reviewing the way MSR is compute before calling RTAS. Now a hardcoded value meaning real ---truncated---
AI Analysis
Technical Summary
CVE-2022-49440 is a vulnerability identified in the Linux kernel specifically affecting the PowerPC architecture's RTAS (Run-Time Abstraction Services) interface. The issue arises due to improper handling of the Machine State Register (MSR) bits when entering RTAS. RTAS operates in real mode with certain MSR bits unset, but the vulnerability stems from the MSR[RI] bit being cleared upon entering RTAS without a valid reason. According to the Power Architecture Platform Reference (PAPR+) specification section 7.2.1, RTAS should be called with MSR[RI] set, and RTAS itself is responsible for managing this bit to protect critical regions from recursion. The Linux kernel's enter_rtas() function, which manages the MSR state before invoking RTAS, uses a complex and partially hardcoded approach that fails to maintain the MSR[RI] bit correctly. This leads to a system panic triggered by a watchdog interrupt during RTAS execution, causing a hard lockup and unrecoverable system reset. The vulnerability manifests as a denial of service (DoS) condition due to kernel panic and system crash. The issue affects Linux kernel versions including 5.14.21-150400.71.1.bz196362_2-default (SLE15-SP4 unreleased kernel) and likely others on PowerPC platforms. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The fix involves revising the MSR computation logic to preserve the MSR[RI] bit correctly when entering RTAS, aligning with the PAPR+ specification requirements.
Potential Impact
For European organizations utilizing Linux systems on PowerPC architectures—commonly found in specialized enterprise servers, embedded systems, and certain high-performance computing environments—this vulnerability poses a risk of unexpected system crashes and denial of service. Such disruptions can affect critical infrastructure, data centers, and industrial control systems relying on these platforms. The kernel panic triggered by the watchdog interrupt can lead to service outages, loss of availability, and potential operational downtime. While the vulnerability does not appear to allow privilege escalation or data compromise directly, the loss of system availability can impact business continuity, especially in sectors like finance, manufacturing, and telecommunications where uptime is critical. Given the niche nature of PowerPC Linux deployments, the overall impact is limited to organizations with these specific hardware and kernel configurations. However, the complexity of the issue and the potential for hard lockups necessitate prompt attention to avoid operational disruptions.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched, ensuring that the MSR[RI] bit handling in enter_rtas() complies with the PAPR+ specification. Since this affects PowerPC architectures, organizations must audit their infrastructure to identify affected systems running vulnerable kernel versions. For systems where immediate patching is not feasible, implementing robust monitoring of kernel watchdog timers and setting up automated recovery mechanisms (such as kernel crash dumps and automated reboots) can help mitigate downtime. Additionally, organizations should engage with their Linux distribution vendors (e.g., SUSE for SLE15-SP4) to obtain backported patches and security advisories. Testing patches in staging environments before deployment is recommended to avoid unintended side effects. Finally, maintaining strict access controls and limiting the ability to trigger RTAS calls to trusted processes can reduce the risk of accidental or malicious triggering of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2022-49440: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Keep MSR[RI] set when calling RTAS RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big endian mode (MSR[SF,LE] unset). The change in MSR is done in enter_rtas() in a relatively complex way, since the MSR value could be hardcoded. Furthermore, a panic has been reported when hitting the watchdog interrupt while running in RTAS, this leads to the following stack trace: watchdog: CPU 24 Hard LOCKUP watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago) ... Supported: No, Unreleased kernel CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000 REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default) MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020 CFAR: 000000000000011c IRQMASK: 1 GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010 GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034 GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008 GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40 GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000 NIP [000000001fb41050] 0x1fb41050 LR [000000001fb4104c] 0x1fb4104c Call Trace: Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX Oops: Unrecoverable System Reset, sig: 6 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries ... Supported: No, Unreleased kernel CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000 REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default) MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020 CFAR: 000000000000011c IRQMASK: 1 GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010 GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034 GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008 GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40 GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000 NIP [000000001fb41050] 0x1fb41050 LR [000000001fb4104c] 0x1fb4104c Call Trace: Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX ---[ end trace 3ddec07f638c34a2 ]--- This happens because MSR[RI] is unset when entering RTAS but there is no valid reason to not set it here. RTAS is expected to be called with MSR[RI] as specified in PAPR+ section "7.2.1 Machine State": R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect its own critical regions from recursion by setting the MSR[RI] bit to 0 when in the critical regions. Fixing this by reviewing the way MSR is compute before calling RTAS. Now a hardcoded value meaning real ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49440 is a vulnerability identified in the Linux kernel specifically affecting the PowerPC architecture's RTAS (Run-Time Abstraction Services) interface. The issue arises due to improper handling of the Machine State Register (MSR) bits when entering RTAS. RTAS operates in real mode with certain MSR bits unset, but the vulnerability stems from the MSR[RI] bit being cleared upon entering RTAS without a valid reason. According to the Power Architecture Platform Reference (PAPR+) specification section 7.2.1, RTAS should be called with MSR[RI] set, and RTAS itself is responsible for managing this bit to protect critical regions from recursion. The Linux kernel's enter_rtas() function, which manages the MSR state before invoking RTAS, uses a complex and partially hardcoded approach that fails to maintain the MSR[RI] bit correctly. This leads to a system panic triggered by a watchdog interrupt during RTAS execution, causing a hard lockup and unrecoverable system reset. The vulnerability manifests as a denial of service (DoS) condition due to kernel panic and system crash. The issue affects Linux kernel versions including 5.14.21-150400.71.1.bz196362_2-default (SLE15-SP4 unreleased kernel) and likely others on PowerPC platforms. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The fix involves revising the MSR computation logic to preserve the MSR[RI] bit correctly when entering RTAS, aligning with the PAPR+ specification requirements.
Potential Impact
For European organizations utilizing Linux systems on PowerPC architectures—commonly found in specialized enterprise servers, embedded systems, and certain high-performance computing environments—this vulnerability poses a risk of unexpected system crashes and denial of service. Such disruptions can affect critical infrastructure, data centers, and industrial control systems relying on these platforms. The kernel panic triggered by the watchdog interrupt can lead to service outages, loss of availability, and potential operational downtime. While the vulnerability does not appear to allow privilege escalation or data compromise directly, the loss of system availability can impact business continuity, especially in sectors like finance, manufacturing, and telecommunications where uptime is critical. Given the niche nature of PowerPC Linux deployments, the overall impact is limited to organizations with these specific hardware and kernel configurations. However, the complexity of the issue and the potential for hard lockups necessitate prompt attention to avoid operational disruptions.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched, ensuring that the MSR[RI] bit handling in enter_rtas() complies with the PAPR+ specification. Since this affects PowerPC architectures, organizations must audit their infrastructure to identify affected systems running vulnerable kernel versions. For systems where immediate patching is not feasible, implementing robust monitoring of kernel watchdog timers and setting up automated recovery mechanisms (such as kernel crash dumps and automated reboots) can help mitigate downtime. Additionally, organizations should engage with their Linux distribution vendors (e.g., SUSE for SLE15-SP4) to obtain backported patches and security advisories. Testing patches in staging environments before deployment is recommended to avoid unintended side effects. Finally, maintaining strict access controls and limiting the ability to trigger RTAS calls to trusted processes can reduce the risk of accidental or malicious triggering of the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.570Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5a2e
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 7:13:50 AM
Last updated: 7/29/2025, 11:27:32 PM
Views: 10
Related Threats
CVE-2025-8989: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8988: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8987: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8986: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-31987: CWE-405 Asymmetric Resource Consumption in HCL Software Connections Docs
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.