{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49196","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.290Z","datePublished":"2025-02-26T01:55:40.626Z","dateUpdated":"2025-05-04T12:44:21.162Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:44:21.162Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix use after free in remove_phb_dynamic()\n\nIn remove_phb_dynamic() we use &phb->io_resource, after we've called\ndevice_unregister(&host_bridge->dev). But the unregister may have freed\nphb, because pcibios_free_controller_deferred() is the release function\nfor the host_bridge.\n\nIf there are no outstanding references when we call device_unregister()\nthen phb will be freed out from under us.\n\nThis has gone mainly unnoticed, but with slub_debug and page_poison\nenabled it can lead to a crash:\n\n  PID: 7574   TASK: c0000000d492cb80  CPU: 13  COMMAND: \"drmgr\"\n   #0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc\n   #1 [c0000000e4f075d0] oops_end at c000000000029608\n   #2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4\n   #3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8\n   #4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30\n   Data SLB Access [380] exception frame:\n   R0:  c000000000167250    R1:  c0000000e4f07a00    R2:  c000000002a46100\n   R3:  c000000002b39ce8    R4:  00000000000000c0    R5:  00000000000000a9\n   R6:  3894674d000000c0    R7:  0000000000000000    R8:  00000000000000ff\n   R9:  0000000000000100    R10: 6b6b6b6b6b6b6b6b    R11: 0000000000008000\n   R12: c00000000023da80    R13: c0000009ffd38b00    R14: 0000000000000000\n   R15: 000000011c87f0f0    R16: 0000000000000006    R17: 0000000000000003\n   R18: 0000000000000002    R19: 0000000000000004    R20: 0000000000000005\n   R21: 000000011c87ede8    R22: 000000011c87c5a8    R23: 000000011c87d3a0\n   R24: 0000000000000000    R25: 0000000000000001    R26: c0000000e4f07cc8\n   R27: c00000004d1cc400    R28: c0080000031d00e8    R29: c00000004d23d800\n   R30: c00000004d1d2400    R31: c00000004d1d2540\n   NIP: c000000000167258    MSR: 8000000000009033    OR3: c000000000e9f474\n   CTR: 0000000000000000    LR:  c000000000167250    XER: 0000000020040003\n   CCR: 0000000024088420    MQ:  0000000000000000    DAR: 6b6b6b6b6b6b6ba3\n   DSISR: c0000000e4f07920     Syscall Result: fffffffffffffff2\n   [NIP  : release_resource+56]\n   [LR   : release_resource+48]\n   #5 [c0000000e4f07a00] release_resource at c000000000167258  (unreliable)\n   #6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648\n   #7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io]\n   #8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io]\n   #9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c\n  #10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504\n  #11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868\n  #12 [c0000000e4f07c70] new_sync_write at c00000000054339c\n  #13 [c0000000e4f07d10] vfs_write at c000000000546624\n  #14 [c0000000e4f07d60] ksys_write at c0000000005469f4\n  #15 [c0000000e4f07db0] system_call_exception at c000000000030840\n  #16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168\n\nTo avoid it, we can take a reference to the host_bridge->dev until we're\ndone using phb. Then when we drop the reference the phb will be freed."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/powerpc/platforms/pseries/pci_dlpar.c"],"versions":[{"version":"2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0","lessThan":"33d39efb61a84e055ca2386157d39ebbdf6b7d31","status":"affected","versionType":"git"},{"version":"2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0","lessThan":"403f9e0bc5535a0a5184d1352fa3a70e6ffacb6f","status":"affected","versionType":"git"},{"version":"2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0","lessThan":"895ca4ae1f72e0a0160ab162723e59c9f265ec93","status":"affected","versionType":"git"},{"version":"2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0","lessThan":"fe2640bd7a62f1f7c3f55fbda31084085075bc30","status":"affected","versionType":"git"},{"version":"c3e740838fe3117413425c956ac56a5724ccd9f9","status":"affected","versionType":"git"},{"version":"83573addff2b4e16df9fad9a561a0d77d554b370","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/powerpc/platforms/pseries/pci_dlpar.c"],"versions":[{"version":"4.8","status":"affected"},{"version":"0","lessThan":"4.8","status":"unaffected","versionType":"semver"},{"version":"5.15.33","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.19","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.2","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.15.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.16.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.17.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16.39"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/33d39efb61a84e055ca2386157d39ebbdf6b7d31"},{"url":"https://git.kernel.org/stable/c/403f9e0bc5535a0a5184d1352fa3a70e6ffacb6f"},{"url":"https://git.kernel.org/stable/c/895ca4ae1f72e0a0160ab162723e59c9f265ec93"},{"url":"https://git.kernel.org/stable/c/fe2640bd7a62f1f7c3f55fbda31084085075bc30"}],"title":"powerpc/pseries: Fix use after free in remove_phb_dynamic()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-416","lang":"en","description":"CWE-416 Use After Free"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-03-04T18:03:23.162575Z","id":"CVE-2022-49196","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-01T17:19:08.367Z"}}]}}