CVE-2022-49703: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Store vhost pointer during subcrq allocation Currently the back pointer from a queue to the vhost adapter isn't set until after subcrq interrupt registration. The value is available when a queue is first allocated and can/should be also set for primary and async queues as well as subcrqs. This fixes a crash observed during kexec/kdump on Power 9 with legacy XICS interrupt controller where a pending subcrq interrupt from the previous kernel can be replayed immediately upon IRQ registration resulting in dereference of a garbage backpointer in ibmvfc_interrupt_scsi(). Kernel attempted to read user page (58) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000058 Faulting instruction address: 0xc008000003216a08 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000003216a08] ibmvfc_interrupt_scsi+0x40/0xb0 [ibmvfc] LR [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270 Call Trace: [c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable) [c000000047fa3df0] [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270 [c000000047fa3ea0] [c000000008207d18] handle_irq_event+0x98/0x188 [c000000047fa3ef0] [c00000000820f564] handle_fasteoi_irq+0xc4/0x310 [c000000047fa3f40] [c000000008205c60] generic_handle_irq+0x50/0x80 [c000000047fa3f60] [c000000008015c40] __do_irq+0x70/0x1a0 [c000000047fa3f90] [c000000008016d7c] __do_IRQ+0x9c/0x130 [c000000014622f60] [0000000020000000] 0x20000000 [c000000014622ff0] [c000000008016e50] do_IRQ+0x40/0xa0 [c000000014623020] [c000000008017044] replay_soft_interrupts+0x194/0x2f0 [c000000014623210] [c0000000080172a8] arch_local_irq_restore+0x108/0x170 [c000000014623240] [c000000008eb1008] _raw_spin_unlock_irqrestore+0x58/0xb0 [c000000014623270] [c00000000820b12c] __setup_irq+0x49c/0x9f0 [c000000014623310] [c00000000820b7c0] request_threaded_irq+0x140/0x230 [c000000014623380] [c008000003212a50] ibmvfc_register_scsi_channel+0x1e8/0x2f0 [ibmvfc] [c000000014623450] [c008000003213d1c] ibmvfc_init_sub_crqs+0xc4/0x1f0 [ibmvfc] [c0000000146234d0] [c0080000032145a8] ibmvfc_reset_crq+0x150/0x210 [ibmvfc] [c000000014623550] [c0080000032147c8] ibmvfc_init_crq+0x160/0x280 [ibmvfc] [c0000000146235f0] [c00800000321a9cc] ibmvfc_probe+0x2a4/0x530 [ibmvfc]
AI Analysis
Technical Summary
CVE-2022-49703 is a vulnerability in the Linux kernel specifically affecting the ibmvfc driver, which is responsible for handling SCSI over virtual Fibre Channel on IBM Power Systems. The issue arises because the back pointer from a queue to the vhost adapter is not set until after subcrq (sub-command request queue) interrupt registration. However, this pointer is available earlier when the queue is first allocated and should be set for primary, asynchronous, and subcrq queues alike. Failure to do so leads to a situation where, during the kexec/kdump process on IBM Power9 systems using the legacy XICS interrupt controller, a pending subcrq interrupt from the previous kernel can be replayed immediately upon IRQ registration. This replay causes the kernel to dereference a garbage or NULL backpointer in the ibmvfc_interrupt_scsi() function, resulting in a kernel NULL pointer dereference and a crash (kernel oops). The vulnerability manifests as a kernel panic or crash due to an invalid memory access at address 0x00000058, triggered by an interrupt handler accessing an invalid backpointer. The problem is specific to IBM Power9 hardware running Linux kernels with the ibmvfc driver and legacy XICS interrupt controller. The vulnerability does not appear to have known exploits in the wild and is primarily a stability and denial-of-service issue rather than a direct code execution flaw. The root cause is a race condition or improper initialization sequence in the driver’s interrupt handling code, which can be triggered during kernel reboot or crash dump scenarios (kexec/kdump). The fix involves setting the back pointer earlier during queue allocation for all relevant queues, preventing the use of invalid pointers during interrupt replay. This vulnerability is relevant to Linux kernel versions containing the affected ibmvfc driver code prior to the fix and is specific to IBM Power architecture systems.
Potential Impact
For European organizations using IBM Power9 servers running Linux with the ibmvfc driver, this vulnerability can cause kernel crashes during kexec or kdump operations, potentially leading to system downtime or loss of diagnostic data during crash dumps. The impact is primarily on system availability and reliability rather than confidentiality or integrity. Organizations relying on IBM Power9 hardware for critical workloads, especially those using virtualized Fibre Channel storage, may experience unexpected reboots or failures during kernel crash recovery or reboot processes. This can disrupt business continuity, especially in data centers or environments where high availability is required. Since the vulnerability is triggered during kernel interrupt handling, it could be exploited to cause denial-of-service conditions but does not appear to allow privilege escalation or arbitrary code execution. The lack of known exploits in the wild reduces immediate risk, but unpatched systems remain vulnerable to stability issues. European enterprises in sectors such as finance, telecommunications, and government that use IBM Power9 Linux servers for mission-critical applications could be affected. Additionally, the inability to reliably perform kdump may hinder forensic analysis after system crashes, complicating incident response efforts.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-49703 as soon as they become available from trusted Linux distributions or the Linux kernel mainline. 2. For organizations using IBM Power9 systems, coordinate with hardware and OS vendors to ensure updated kernel versions with the fix are deployed in production environments. 3. Test kernel updates in staging environments to verify stability and compatibility with existing workloads and storage configurations before production rollout. 4. Monitor system logs for kernel oops or crash messages related to ibmvfc_interrupt_scsi to detect potential exploitation or triggering of this vulnerability. 5. If immediate patching is not feasible, consider limiting the use of kexec/kdump functionality or schedule reboots during maintenance windows to minimize impact. 6. Maintain up-to-date backups and disaster recovery plans to mitigate potential downtime caused by kernel crashes. 7. Engage with IBM support and Linux distribution vendors for guidance on best practices specific to IBM Power9 Linux environments. 8. Implement robust monitoring and alerting for kernel stability issues to enable rapid response to crashes potentially related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium
CVE-2022-49703: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Store vhost pointer during subcrq allocation Currently the back pointer from a queue to the vhost adapter isn't set until after subcrq interrupt registration. The value is available when a queue is first allocated and can/should be also set for primary and async queues as well as subcrqs. This fixes a crash observed during kexec/kdump on Power 9 with legacy XICS interrupt controller where a pending subcrq interrupt from the previous kernel can be replayed immediately upon IRQ registration resulting in dereference of a garbage backpointer in ibmvfc_interrupt_scsi(). Kernel attempted to read user page (58) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000058 Faulting instruction address: 0xc008000003216a08 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000003216a08] ibmvfc_interrupt_scsi+0x40/0xb0 [ibmvfc] LR [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270 Call Trace: [c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable) [c000000047fa3df0] [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270 [c000000047fa3ea0] [c000000008207d18] handle_irq_event+0x98/0x188 [c000000047fa3ef0] [c00000000820f564] handle_fasteoi_irq+0xc4/0x310 [c000000047fa3f40] [c000000008205c60] generic_handle_irq+0x50/0x80 [c000000047fa3f60] [c000000008015c40] __do_irq+0x70/0x1a0 [c000000047fa3f90] [c000000008016d7c] __do_IRQ+0x9c/0x130 [c000000014622f60] [0000000020000000] 0x20000000 [c000000014622ff0] [c000000008016e50] do_IRQ+0x40/0xa0 [c000000014623020] [c000000008017044] replay_soft_interrupts+0x194/0x2f0 [c000000014623210] [c0000000080172a8] arch_local_irq_restore+0x108/0x170 [c000000014623240] [c000000008eb1008] _raw_spin_unlock_irqrestore+0x58/0xb0 [c000000014623270] [c00000000820b12c] __setup_irq+0x49c/0x9f0 [c000000014623310] [c00000000820b7c0] request_threaded_irq+0x140/0x230 [c000000014623380] [c008000003212a50] ibmvfc_register_scsi_channel+0x1e8/0x2f0 [ibmvfc] [c000000014623450] [c008000003213d1c] ibmvfc_init_sub_crqs+0xc4/0x1f0 [ibmvfc] [c0000000146234d0] [c0080000032145a8] ibmvfc_reset_crq+0x150/0x210 [ibmvfc] [c000000014623550] [c0080000032147c8] ibmvfc_init_crq+0x160/0x280 [ibmvfc] [c0000000146235f0] [c00800000321a9cc] ibmvfc_probe+0x2a4/0x530 [ibmvfc]
AI-Powered Analysis
Technical Analysis
CVE-2022-49703 is a vulnerability in the Linux kernel specifically affecting the ibmvfc driver, which is responsible for handling SCSI over virtual Fibre Channel on IBM Power Systems. The issue arises because the back pointer from a queue to the vhost adapter is not set until after subcrq (sub-command request queue) interrupt registration. However, this pointer is available earlier when the queue is first allocated and should be set for primary, asynchronous, and subcrq queues alike. Failure to do so leads to a situation where, during the kexec/kdump process on IBM Power9 systems using the legacy XICS interrupt controller, a pending subcrq interrupt from the previous kernel can be replayed immediately upon IRQ registration. This replay causes the kernel to dereference a garbage or NULL backpointer in the ibmvfc_interrupt_scsi() function, resulting in a kernel NULL pointer dereference and a crash (kernel oops). The vulnerability manifests as a kernel panic or crash due to an invalid memory access at address 0x00000058, triggered by an interrupt handler accessing an invalid backpointer. The problem is specific to IBM Power9 hardware running Linux kernels with the ibmvfc driver and legacy XICS interrupt controller. The vulnerability does not appear to have known exploits in the wild and is primarily a stability and denial-of-service issue rather than a direct code execution flaw. The root cause is a race condition or improper initialization sequence in the driver’s interrupt handling code, which can be triggered during kernel reboot or crash dump scenarios (kexec/kdump). The fix involves setting the back pointer earlier during queue allocation for all relevant queues, preventing the use of invalid pointers during interrupt replay. This vulnerability is relevant to Linux kernel versions containing the affected ibmvfc driver code prior to the fix and is specific to IBM Power architecture systems.
Potential Impact
For European organizations using IBM Power9 servers running Linux with the ibmvfc driver, this vulnerability can cause kernel crashes during kexec or kdump operations, potentially leading to system downtime or loss of diagnostic data during crash dumps. The impact is primarily on system availability and reliability rather than confidentiality or integrity. Organizations relying on IBM Power9 hardware for critical workloads, especially those using virtualized Fibre Channel storage, may experience unexpected reboots or failures during kernel crash recovery or reboot processes. This can disrupt business continuity, especially in data centers or environments where high availability is required. Since the vulnerability is triggered during kernel interrupt handling, it could be exploited to cause denial-of-service conditions but does not appear to allow privilege escalation or arbitrary code execution. The lack of known exploits in the wild reduces immediate risk, but unpatched systems remain vulnerable to stability issues. European enterprises in sectors such as finance, telecommunications, and government that use IBM Power9 Linux servers for mission-critical applications could be affected. Additionally, the inability to reliably perform kdump may hinder forensic analysis after system crashes, complicating incident response efforts.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-49703 as soon as they become available from trusted Linux distributions or the Linux kernel mainline. 2. For organizations using IBM Power9 systems, coordinate with hardware and OS vendors to ensure updated kernel versions with the fix are deployed in production environments. 3. Test kernel updates in staging environments to verify stability and compatibility with existing workloads and storage configurations before production rollout. 4. Monitor system logs for kernel oops or crash messages related to ibmvfc_interrupt_scsi to detect potential exploitation or triggering of this vulnerability. 5. If immediate patching is not feasible, consider limiting the use of kexec/kdump functionality or schedule reboots during maintenance windows to minimize impact. 6. Maintain up-to-date backups and disaster recovery plans to mitigate potential downtime caused by kernel crashes. 7. Engage with IBM support and Linux distribution vendors for guidance on best practices specific to IBM Power9 Linux environments. 8. Implement robust monitoring and alerting for kernel stability issues to enable rapid response to crashes potentially related to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.443Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe48b6
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 12:25:39 AM
Last updated: 8/11/2025, 10:32:09 AM
Views: 17
Related Threats
CVE-2025-9002: SQL Injection in Surbowl dormitory-management-php
MediumCVE-2025-9001: Stack-based Buffer Overflow in LemonOS
MediumCVE-2025-8867: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in iqonicdesign Graphina – Elementor Charts and Graphs
MediumCVE-2025-8680: CWE-918 Server-Side Request Forgery (SSRF) in bplugins B Slider- Gutenberg Slider Block for WP
MediumCVE-2025-8676: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in bplugins B Slider- Gutenberg Slider Block for WP
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.