{ "threat_severity" : "Low", "public_date" : "2025-02-26T00:00:00Z", "bugzilla" : { "description" : "kernel: powerpc/papr_scm: don't requests stats with '0' sized stats buffer", "id" : "2347781", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2347781" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npowerpc/papr_scm: don't requests stats with '0' sized stats buffer\nSachin reported [1] that on a POWER-10 lpar he is seeing a kernel panic being\nreported with vPMEM when papr_scm probe is being called. The panic is of the\nform below and is observed only with following option disabled(profile) for the\nsaid LPAR 'Enable Performance Information Collection' in the HMC:\nKernel attempted to write user page (1c) - exploit attempt? (uid: 0)\nBUG: Kernel NULL pointer dereference on write at 0x0000001c\nFaulting instruction address: 0xc008000001b90844\nOops: Kernel access of bad area, sig: 11 [#1]\n\nNIP [c008000001b90844] drc_pmem_query_stats+0x5c/0x270 [papr_scm]\nLR [c008000001b92794] papr_scm_probe+0x2ac/0x6ec [papr_scm]\nCall Trace:\n0xc00000000941bca0 (unreliable)\npapr_scm_probe+0x2ac/0x6ec [papr_scm]\nplatform_probe+0x98/0x150\nreally_probe+0xfc/0x510\n__driver_probe_device+0x17c/0x230\n\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Fatal exception\nOn investigation looks like this panic was caused due to a 'stat_buffer' of\nsize==0 being provided to drc_pmem_query_stats() to fetch all performance\nstats-ids of an NVDIMM. However drc_pmem_query_stats() shouldn't have been called\nsince the vPMEM NVDIMM doesn't support and performance stat-id's. This was caused\ndue to missing check for 'p->stat_buffer_len' at the beginning of\npapr_scm_pmu_check_events() which indicates that the NVDIMM doesn't support\nperformance-stats.\nFix this by introducing the check for 'p->stat_buffer_len' at the beginning of\npapr_scm_pmu_check_events().\n[1] https://lore.kernel.org/all/6B3A522A-6A5F-4CC9-B268-0C63AA6E07D3@linux.ibm.com" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49353\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49353\nhttps://lore.kernel.org/linux-cve-announce/2025022643-CVE-2022-49353-8599@gregkh/T" ], "name" : "CVE-2022-49353", "csaw" : false }