{
  "threat_severity" : "Low",
  "public_date" : "2025-02-26T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: powerpc/64s: Don't use DSISR for SLB faults",
    "id" : "2347932",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2347932"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npowerpc/64s: Don't use DSISR for SLB faults\nSince commit 46ddcb3950a2 (\"powerpc/mm: Show if a bad page fault on data\nis read or write.\") we use page_fault_is_write(regs->dsisr) in\n__bad_page_fault() to determine if the fault is for a read or write, and\nchange the message printed accordingly.\nBut SLB faults, aka Data Segment Interrupts, don't set DSISR (Data\nStorage Interrupt Status Register) to a useful value. All ISA versions\nfrom v2.03 through v3.1 specify that the Data Segment Interrupt sets\nDSISR \"to an undefined value\". As far as I can see there's no mention of\nSLB faults setting DSISR in any BookIV content either.\nThis manifests as accesses that should be a read being incorrectly\nreported as writes, for example, using the xmon \"dump\" command:\n0:mon> d 0x5deadbeef0000000\n5deadbeef0000000\n[359526.415354][    C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000\n[359526.415611][    C6] Faulting instruction address: 0xc00000000010a300\ncpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400]\npc: c00000000010a300: mread+0x90/0x190\nIf we disassemble the PC, we see a load instruction:\n0:mon> di c00000000010a300\nc00000000010a300 89490000      lbz     r10,0(r9)\nWe can also see in exceptions-64s.S that the data_access_slb block\ndoesn't set IDSISR=1, which means it doesn't load DSISR into pt_regs. So\nthe value we're using to determine if the fault is a read/write is some\nstale value in pt_regs from a previous page fault.\nRework the printing logic to separate the SLB fault case out, and only\nprint read/write in the cases where we can determine it.\nThe result looks like eg:\n0:mon> d 0x5deadbeef0000000\n5deadbeef0000000\n[  721.779525][    C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000\n[  721.779697][    C6] Faulting instruction address: 0xc00000000014cbe0\ncpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]\n0:mon> d 0\n0000000000000000\n[  742.793242][    C6] BUG: Kernel NULL pointer dereference at 0x00000000\n[  742.793316][    C6] Faulting instruction address: 0xc00000000014cbe0\ncpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49214\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49214\nhttps://lore.kernel.org/linux-cve-announce/2025022620-CVE-2022-49214-1b9a@gregkh/T" ],
  "name" : "CVE-2022-49214",
  "csaw" : false
}