CVE-2022-49851: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: riscv: fix reserved memory setup Currently, RISC-V sets up reserved memory using the "early" copy of the device tree. As a result, when trying to get a reserved memory region using of_reserved_mem_lookup(), the pointer to reserved memory regions is using the early, pre-virtual-memory address which causes a kernel panic when trying to use the buffer's name: Unable to handle kernel paging request at virtual address 00000000401c31ac Oops [#1] Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1 Hardware name: Microchip PolarFire-SoC Icicle Kit (DT) epc : string+0x4a/0xea ra : vsnprintf+0x1e4/0x336 epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0 gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000 t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20 s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000 a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008 s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00 s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002 s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617 t5 : ffffffff812f3618 t6 : ffffffff81203d08 status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d [<ffffffff80338936>] vsnprintf+0x1e4/0x336 [<ffffffff80055ae2>] vprintk_store+0xf6/0x344 [<ffffffff80055d86>] vprintk_emit+0x56/0x192 [<ffffffff80055ed8>] vprintk_default+0x16/0x1e [<ffffffff800563d2>] vprintk+0x72/0x80 [<ffffffff806813b2>] _printk+0x36/0x50 [<ffffffff8068af48>] print_reserved_mem+0x1c/0x24 [<ffffffff808057ec>] paging_init+0x528/0x5bc [<ffffffff808031ae>] setup_arch+0xd0/0x592 [<ffffffff8080070e>] start_kernel+0x82/0x73c early_init_fdt_scan_reserved_mem() takes no arguments as it operates on initial_boot_params, which is populated by early_init_dt_verify(). On RISC-V, early_init_dt_verify() is called twice. Once, directly, in setup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly, very early in the boot process, by parse_dtb() when it calls early_init_dt_scan_nodes(). This first call uses dtb_early_va to set initial_boot_params, which is not usable later in the boot process when early_init_fdt_scan_reserved_mem() is called. On arm64 for example, the corresponding call to early_init_dt_scan_nodes() uses fixmap addresses and doesn't suffer the same fate. Move early_init_fdt_scan_reserved_mem() further along the boot sequence, after the direct call to early_init_dt_verify() in setup_arch() so that the names use the correct virtual memory addresses. The above supposed that CONFIG_BUILTIN_DTB was not set, but should work equally in the case where it is - unflatted_and_copy_device_tree() also updates initial_boot_params.
AI Analysis
Technical Summary
CVE-2022-49851 is a vulnerability in the Linux kernel specifically affecting the RISC-V architecture's handling of reserved memory during early boot. The issue arises because the reserved memory regions are set up using an "early" copy of the device tree blob (DTB), which contains physical addresses valid only before virtual memory is fully initialized. When the kernel later attempts to access reserved memory regions via of_reserved_mem_lookup(), it uses pointers referencing this early physical address space rather than the correct virtual memory addresses. This mismatch leads to kernel panics due to invalid memory accesses, as demonstrated by the kernel oops logs referencing invalid virtual addresses during printk operations. The root cause is that early_init_dt_verify() is called twice on RISC-V: once very early in the boot process by parse_dtb(), and again later in setup_arch(). The initial_boot_params structure, which holds the device tree information, is populated with early physical addresses during the first call, which are no longer valid later. Unlike arm64, which uses fixmap addresses to avoid this problem, RISC-V does not. The fix involves moving the call to early_init_fdt_scan_reserved_mem() to a later point in the boot sequence after the second call to early_init_dt_verify() in setup_arch(), ensuring that reserved memory names and pointers use correct virtual addresses. This patch prevents kernel panics caused by invalid memory references during reserved memory setup on RISC-V systems running affected Linux kernel versions. The vulnerability affects Linux kernel versions identified by specific commit hashes, including 922b0375fc93fb1a20c5617e37c389c26bbccb70 and f18ed5bee7bb8a0e99e1c7e7d45e0e51d3497248. There are no known exploits in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations using Linux on RISC-V hardware platforms, this vulnerability could cause system instability and kernel panics during boot, leading to denial of service. This is particularly relevant for embedded systems, IoT devices, and specialized computing platforms leveraging RISC-V architecture, which is gaining traction in various sectors including industrial automation, telecommunications, and research institutions. The inability to properly initialize reserved memory can prevent systems from booting or cause unpredictable crashes, impacting availability and potentially leading to operational disruptions. Since the vulnerability occurs early in the boot process, it may prevent recovery without physical access or re-flashing the device, complicating incident response. Confidentiality and integrity impacts are minimal as the issue primarily causes crashes rather than unauthorized access or data corruption. However, the operational impact on critical infrastructure or industrial control systems using affected RISC-V Linux kernels could be significant, especially if redundancy or failover mechanisms are not in place.
Mitigation Recommendations
European organizations should ensure that all RISC-V based Linux systems are updated to kernel versions that include the fix for CVE-2022-49851. This involves applying patches that move the reserved memory setup to occur after the second call to early_init_dt_verify(), ensuring correct virtual memory addressing. System integrators and device manufacturers should verify that their Linux kernel builds incorporate this fix, particularly for embedded and IoT devices. For systems already deployed, firmware or kernel updates should be prioritized and tested in controlled environments before production rollout. Additionally, organizations should implement robust monitoring to detect kernel panics or boot failures indicative of this issue. Where possible, maintain physical or out-of-band access to devices to facilitate recovery if boot failures occur. Finally, consider architectural mitigations such as redundant systems or failover capabilities to maintain availability in case of device failure due to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2022-49851: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: riscv: fix reserved memory setup Currently, RISC-V sets up reserved memory using the "early" copy of the device tree. As a result, when trying to get a reserved memory region using of_reserved_mem_lookup(), the pointer to reserved memory regions is using the early, pre-virtual-memory address which causes a kernel panic when trying to use the buffer's name: Unable to handle kernel paging request at virtual address 00000000401c31ac Oops [#1] Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1 Hardware name: Microchip PolarFire-SoC Icicle Kit (DT) epc : string+0x4a/0xea ra : vsnprintf+0x1e4/0x336 epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0 gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000 t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20 s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000 a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008 s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00 s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002 s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617 t5 : ffffffff812f3618 t6 : ffffffff81203d08 status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d [<ffffffff80338936>] vsnprintf+0x1e4/0x336 [<ffffffff80055ae2>] vprintk_store+0xf6/0x344 [<ffffffff80055d86>] vprintk_emit+0x56/0x192 [<ffffffff80055ed8>] vprintk_default+0x16/0x1e [<ffffffff800563d2>] vprintk+0x72/0x80 [<ffffffff806813b2>] _printk+0x36/0x50 [<ffffffff8068af48>] print_reserved_mem+0x1c/0x24 [<ffffffff808057ec>] paging_init+0x528/0x5bc [<ffffffff808031ae>] setup_arch+0xd0/0x592 [<ffffffff8080070e>] start_kernel+0x82/0x73c early_init_fdt_scan_reserved_mem() takes no arguments as it operates on initial_boot_params, which is populated by early_init_dt_verify(). On RISC-V, early_init_dt_verify() is called twice. Once, directly, in setup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly, very early in the boot process, by parse_dtb() when it calls early_init_dt_scan_nodes(). This first call uses dtb_early_va to set initial_boot_params, which is not usable later in the boot process when early_init_fdt_scan_reserved_mem() is called. On arm64 for example, the corresponding call to early_init_dt_scan_nodes() uses fixmap addresses and doesn't suffer the same fate. Move early_init_fdt_scan_reserved_mem() further along the boot sequence, after the direct call to early_init_dt_verify() in setup_arch() so that the names use the correct virtual memory addresses. The above supposed that CONFIG_BUILTIN_DTB was not set, but should work equally in the case where it is - unflatted_and_copy_device_tree() also updates initial_boot_params.
AI-Powered Analysis
Technical Analysis
CVE-2022-49851 is a vulnerability in the Linux kernel specifically affecting the RISC-V architecture's handling of reserved memory during early boot. The issue arises because the reserved memory regions are set up using an "early" copy of the device tree blob (DTB), which contains physical addresses valid only before virtual memory is fully initialized. When the kernel later attempts to access reserved memory regions via of_reserved_mem_lookup(), it uses pointers referencing this early physical address space rather than the correct virtual memory addresses. This mismatch leads to kernel panics due to invalid memory accesses, as demonstrated by the kernel oops logs referencing invalid virtual addresses during printk operations. The root cause is that early_init_dt_verify() is called twice on RISC-V: once very early in the boot process by parse_dtb(), and again later in setup_arch(). The initial_boot_params structure, which holds the device tree information, is populated with early physical addresses during the first call, which are no longer valid later. Unlike arm64, which uses fixmap addresses to avoid this problem, RISC-V does not. The fix involves moving the call to early_init_fdt_scan_reserved_mem() to a later point in the boot sequence after the second call to early_init_dt_verify() in setup_arch(), ensuring that reserved memory names and pointers use correct virtual addresses. This patch prevents kernel panics caused by invalid memory references during reserved memory setup on RISC-V systems running affected Linux kernel versions. The vulnerability affects Linux kernel versions identified by specific commit hashes, including 922b0375fc93fb1a20c5617e37c389c26bbccb70 and f18ed5bee7bb8a0e99e1c7e7d45e0e51d3497248. There are no known exploits in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations using Linux on RISC-V hardware platforms, this vulnerability could cause system instability and kernel panics during boot, leading to denial of service. This is particularly relevant for embedded systems, IoT devices, and specialized computing platforms leveraging RISC-V architecture, which is gaining traction in various sectors including industrial automation, telecommunications, and research institutions. The inability to properly initialize reserved memory can prevent systems from booting or cause unpredictable crashes, impacting availability and potentially leading to operational disruptions. Since the vulnerability occurs early in the boot process, it may prevent recovery without physical access or re-flashing the device, complicating incident response. Confidentiality and integrity impacts are minimal as the issue primarily causes crashes rather than unauthorized access or data corruption. However, the operational impact on critical infrastructure or industrial control systems using affected RISC-V Linux kernels could be significant, especially if redundancy or failover mechanisms are not in place.
Mitigation Recommendations
European organizations should ensure that all RISC-V based Linux systems are updated to kernel versions that include the fix for CVE-2022-49851. This involves applying patches that move the reserved memory setup to occur after the second call to early_init_dt_verify(), ensuring correct virtual memory addressing. System integrators and device manufacturers should verify that their Linux kernel builds incorporate this fix, particularly for embedded and IoT devices. For systems already deployed, firmware or kernel updates should be prioritized and tested in controlled environments before production rollout. Additionally, organizations should implement robust monitoring to detect kernel panics or boot failures indicative of this issue. Where possible, maintain physical or out-of-band access to devices to facilitate recovery if boot failures occur. Finally, consider architectural mitigations such as redundant systems or failover capabilities to maintain availability in case of device failure due to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.230Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd758
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 12:56:21 AM
Last updated: 8/14/2025, 7:58:46 AM
Views: 16
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.