ghsa-6gv8-fgf9-gqgc
Vulnerability from github
Published
2025-04-14 21:32
Modified
2025-04-14 21:32
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

powerpc/papr_scm: don't requests stats with '0' sized stats buffer

Sachin reported [1] that on a POWER-10 lpar he is seeing a kernel panic being reported with vPMEM when papr_scm probe is being called. The panic is of the form below and is observed only with following option disabled(profile) for the said LPAR 'Enable Performance Information Collection' in the HMC:

Kernel attempted to write user page (1c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on write at 0x0000001c Faulting instruction address: 0xc008000001b90844 Oops: Kernel access of bad area, sig: 11 [#1] NIP [c008000001b90844] drc_pmem_query_stats+0x5c/0x270 [papr_scm] LR [c008000001b92794] papr_scm_probe+0x2ac/0x6ec [papr_scm] Call Trace: 0xc00000000941bca0 (unreliable) papr_scm_probe+0x2ac/0x6ec [papr_scm] platform_probe+0x98/0x150 really_probe+0xfc/0x510 __driver_probe_device+0x17c/0x230 ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception

On investigation looks like this panic was caused due to a 'stat_buffer' of size==0 being provided to drc_pmem_query_stats() to fetch all performance stats-ids of an NVDIMM. However drc_pmem_query_stats() shouldn't have been called since the vPMEM NVDIMM doesn't support and performance stat-id's. This was caused due to missing check for 'p->stat_buffer_len' at the beginning of papr_scm_pmu_check_events() which indicates that the NVDIMM doesn't support performance-stats.

Fix this by introducing the check for 'p->stat_buffer_len' at the beginning of papr_scm_pmu_check_events().

[1] https://lore.kernel.org/all/6B3A522A-6A5F-4CC9-B268-0C63AA6E07D3@linux.ibm.com

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/papr_scm: don\u0027t requests stats with \u00270\u0027 sized stats buffer\n\nSachin reported [1] that on a POWER-10 lpar he is seeing a kernel panic being\nreported with vPMEM when papr_scm probe is being called. The panic is of the\nform below and is observed only with following option disabled(profile) for the\nsaid LPAR \u0027Enable Performance Information Collection\u0027 in the HMC:\n\n Kernel attempted to write user page (1c) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on write at 0x0000001c\n Faulting instruction address: 0xc008000001b90844\n Oops: Kernel access of bad area, sig: 11 [#1]\n\u003csnip\u003e\n NIP [c008000001b90844] drc_pmem_query_stats+0x5c/0x270 [papr_scm]\n LR [c008000001b92794] papr_scm_probe+0x2ac/0x6ec [papr_scm]\n Call Trace:\n       0xc00000000941bca0 (unreliable)\n       papr_scm_probe+0x2ac/0x6ec [papr_scm]\n       platform_probe+0x98/0x150\n       really_probe+0xfc/0x510\n       __driver_probe_device+0x17c/0x230\n\u003csnip\u003e\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception\n\nOn investigation looks like this panic was caused due to a \u0027stat_buffer\u0027 of\nsize==0 being provided to drc_pmem_query_stats() to fetch all performance\nstats-ids of an NVDIMM. However drc_pmem_query_stats() shouldn\u0027t have been called\nsince the vPMEM NVDIMM doesn\u0027t support and performance stat-id\u0027s. This was caused\ndue to missing check for \u0027p-\u003estat_buffer_len\u0027 at the beginning of\npapr_scm_pmu_check_events() which indicates that the NVDIMM doesn\u0027t support\nperformance-stats.\n\nFix this by introducing the check for \u0027p-\u003estat_buffer_len\u0027 at the beginning of\npapr_scm_pmu_check_events().\n\n[1] https://lore.kernel.org/all/6B3A522A-6A5F-4CC9-B268-0C63AA6E07D3@linux.ibm.com",
  "id": "GHSA-6gv8-fgf9-gqgc",
  "modified": "2025-04-14T21:32:22Z",
  "published": "2025-04-14T21:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49353"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07bf9431b1590d1cd7a8d62075d0b50b073f0495"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e1295aab2ebcda1c1a9ed342baedc080e5c393e5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.