CVE-2022-49955 Information

Jun 19, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

powerpc/rtas: Fix RTAS MSR[HV] handling for Cell

The semi-recent changes to MSR handling when entering RTAS (firmware) cause crashes on IBM Cell machines. An example trace:

kernel tried to execute user page (2fff01a8) - exploit attempt? (uid: 0) BUG: Unable to handle kernel instruction fetch Faulting instruction address: 0x2fff01a8 Oops: Kernel access of bad area sig: 11 [1] BE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=4 NUMA Cell Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.0.0-rc2-00433-gede0a8d3307a 207 NIP: 000000002fff01a8 LR: 0000000000032608 CTR: 0000000000000000 REGS: c0000000015236b0 TRAP: 0400 Tainted: G W (6.0.0-rc2-00433-gede0a8d3307a) MSR: 0000000008001002 CR: 00000000 XER: 20000000 … NIP 0x2fff01a8 LR 0x32608 Call Trace: 0xc00000000143c5f8 (unreliable) .rtas_call+0x224/0x320 .rtas_get_boot_time+0x70/0x150 .read_persistent_clock64+0x114/0x140 .read_persistent_wall_and_boot_offset+0x24/0x80 .timekeeping_init+0x40/0x29c .start_kernel+0x674/0x8f0 start_here_common+0x1c/0x50

Unlike PAPR platforms where RTAS is only used in guests on the IBM Cell machines Linux runs with MSR[HV] set but also uses RTAS provided by SLOF.

Fix it by copying the MSR[HV] bit from the MSR value we’ve just read using mfmsr into the value used for RTAS.

It seems like we could also fix it using an ifdef CELL to set MSR[HV] but that doesn’t work because it’s possible to build a single kernel image that runs on both Cell native and pseries.

Reference

https://git.kernel.org/stable/c/8b08d4f97233d8e58fff2fd9d5f86397a49733c5 https://git.kernel.org/stable/c/91926d8b7e71aaf5f84f0cf208fc5a8b7a761050

CNNVD-202506-2241 (Published: 2025-06-18)

Share on: