CVE-2022-49214

Since commit 46ddcb3950a2 ("powerpc/mm: Show if a bad page fault on data is read or write.") we use pagefaultiswrite(regs->dsisr) in _badpagefault() to determine if the fault is for a read or write, and change the message printed accordingly.

But SLB faults, aka Data Segment Interrupts, don't set DSISR (Data Storage Interrupt Status Register) to a useful value. All ISA versions from v2.03 through v3.1 specify that the Data Segment Interrupt sets DSISR "to an undefined value". As far as I can see there's no mention of SLB faults setting DSISR in any BookIV content either.

This manifests as accesses that should be a read being incorrectly reported as writes, for example, using the xmon "dump" command:

0:mon> d 0x5deadbeef0000000 5deadbeef0000000 [359526.415354][ C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000 [359526.415611][ C6] Faulting instruction address: 0xc00000000010a300 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400] pc: c00000000010a300: mread+0x90/0x190

If we disassemble the PC, we see a load instruction:

0:mon> di c00000000010a300 c00000000010a300 89490000 lbz r10,0(r9)

We can also see in exceptions-64s.S that the dataaccessslb block doesn't set IDSISR=1, which means it doesn't load DSISR into ptregs. So the value we're using to determine if the fault is a read/write is some stale value in ptregs from a previous page fault.

Rework the printing logic to separate the SLB fault case out, and only print read/write in the cases where we can determine it.

The result looks like eg:

0:mon> d 0x5deadbeef0000000 5deadbeef0000000 [ 721.779525][ C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000 [ 721.779697][ C6] Faulting instruction address: 0xc00000000014cbe0 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]

0:mon> d 0 0000000000000000 [ 742.793242][ C6] BUG: Kernel NULL pointer dereference at 0x00000000 [ 742.793316][ C6] Faulting instruction address: 0xc00000000014cbe0 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49214.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d

Fixed

4a852ff9b7bea9c640540e2c1bc70bd3ba455d61

Fixed

a3dae36d632b2cf6eb20314273e512a96cb43c9a

Fixed

093449bb182db885dae816d62874cccab7a4c42a

Fixed

d4679ac8ea2e5078704aa1c026db36580cc1bf9a

Affected versions

v5.*

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.27

v5.15.28

v5.15.29

v5.15.3

v5.15.30

v5.15.31

v5.15.32

v5.15.4

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.16.1

v5.16.10

v5.16.11

v5.16.12

v5.16.13

v5.16.14

v5.16.15

v5.16.16

v5.16.17

v5.16.18

v5.16.2

v5.16.3

v5.16.4

v5.16.5

v5.16.6

v5.16.7

v5.16.8

v5.16.9

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.17.1

v5.4

v5.4-rc3

v5.4-rc4

v5.4-rc5

v5.4-rc6

v5.4-rc7

v5.4-rc8

v5.5

v5.5-rc1

v5.5-rc2

v5.5-rc3

v5.5-rc4

v5.5-rc5

v5.5-rc6

v5.5-rc7

v5.6

v5.6-rc1

v5.6-rc2

v5.6-rc3

v5.6-rc4

v5.6-rc5

v5.6-rc6

v5.6-rc7

v5.7

v5.7-rc1

v5.7-rc2

v5.7-rc3

v5.7-rc4

v5.7-rc5

v5.7-rc6

v5.7-rc7

v5.8

v5.8-rc1

v5.8-rc2

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d4679ac8ea2e5078704aa1c026db36580cc1bf9a",
        "signature_type": "Function",
        "target": {
            "function": "__bad_page_fault",
            "file": "arch/powerpc/mm/fault.c"
        },
        "deprecated": false,
        "id": "CVE-2022-49214-21b12701",
        "digest": {
            "function_hash": "253701181707904152632452364479260611164",
            "length": 1080.0
        }
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3dae36d632b2cf6eb20314273e512a96cb43c9a",
        "signature_type": "Function",
        "target": {
            "function": "__bad_page_fault",
            "file": "arch/powerpc/mm/fault.c"
        },
        "deprecated": false,
        "id": "CVE-2022-49214-70b4baa5",
        "digest": {
            "function_hash": "253701181707904152632452364479260611164",
            "length": 1080.0
        }
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3dae36d632b2cf6eb20314273e512a96cb43c9a",
        "signature_type": "Line",
        "target": {
            "file": "arch/powerpc/mm/fault.c"
        },
        "deprecated": false,
        "id": "CVE-2022-49214-72b09629",
        "digest": {
            "line_hashes": [
                "23090903151724789882865140687567618051",
                "182969885770102035947832279580391873328",
                "37275260048066261364289435158798355255",
                "290287999674124570574952978190285460947",
                "249529685028520170351979106586246801446",
                "47461405848758963634169447089954787413",
                "104552516629832135397305678027855462829",
                "256469357699824853262528281251622392016",
                "57204767064988097543414509339489299832",
                "231088967012820903917599269593818918530",
                "136014772043871232368542225173047951734",
                "329927850852359838605886852480633172793",
                "186345620914413760208289346804356476138"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@093449bb182db885dae816d62874cccab7a4c42a",
        "signature_type": "Function",
        "target": {
            "function": "__bad_page_fault",
            "file": "arch/powerpc/mm/fault.c"
        },
        "deprecated": false,
        "id": "CVE-2022-49214-b6ecccee",
        "digest": {
            "function_hash": "253701181707904152632452364479260611164",
            "length": 1080.0
        }
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d4679ac8ea2e5078704aa1c026db36580cc1bf9a",
        "signature_type": "Line",
        "target": {
            "file": "arch/powerpc/mm/fault.c"
        },
        "deprecated": false,
        "id": "CVE-2022-49214-c050dc53",
        "digest": {
            "line_hashes": [
                "23090903151724789882865140687567618051",
                "182969885770102035947832279580391873328",
                "37275260048066261364289435158798355255",
                "290287999674124570574952978190285460947",
                "249529685028520170351979106586246801446",
                "47461405848758963634169447089954787413",
                "104552516629832135397305678027855462829",
                "256469357699824853262528281251622392016",
                "57204767064988097543414509339489299832",
                "231088967012820903917599269593818918530",
                "136014772043871232368542225173047951734",
                "329927850852359838605886852480633172793",
                "186345620914413760208289346804356476138"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@093449bb182db885dae816d62874cccab7a4c42a",
        "signature_type": "Line",
        "target": {
            "file": "arch/powerpc/mm/fault.c"
        },
        "deprecated": false,
        "id": "CVE-2022-49214-fa158f0d",
        "digest": {
            "line_hashes": [
                "23090903151724789882865140687567618051",
                "182969885770102035947832279580391873328",
                "37275260048066261364289435158798355255",
                "290287999674124570574952978190285460947",
                "249529685028520170351979106586246801446",
                "47461405848758963634169447089954787413",
                "104552516629832135397305678027855462829",
                "256469357699824853262528281251622392016",
                "57204767064988097543414509339489299832",
                "231088967012820903917599269593818918530",
                "136014772043871232368542225173047951734",
                "329927850852359838605886852480633172793",
                "186345620914413760208289346804356476138"
            ],
            "threshold": 0.9
        }
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.15.33

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.16.19

Type: ECOSYSTEM
Events: Introduced

5.17.0

Fixed

5.17.2