CVE-2022-49440

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/rtas: Keep MSR[RI] set when calling RTAS<br /> <br /> RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big<br /> endian mode (MSR[SF,LE] unset).<br /> <br /> The change in MSR is done in enter_rtas() in a relatively complex way,<br /> since the MSR value could be hardcoded.<br /> <br /> Furthermore, a panic has been reported when hitting the watchdog interrupt<br /> while running in RTAS, this leads to the following stack trace:<br /> <br /> watchdog: CPU 24 Hard LOCKUP<br /> watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)<br /> ...<br /> Supported: No, Unreleased kernel<br /> CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c<br /> NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000<br /> REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)<br /> MSR: 8000000002981000 CR: 48800002 XER: 20040020<br /> CFAR: 000000000000011c IRQMASK: 1<br /> GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc<br /> GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010<br /> GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000<br /> GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034<br /> GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008<br /> GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f<br /> GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40<br /> GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000<br /> NIP [000000001fb41050] 0x1fb41050<br /> LR [000000001fb4104c] 0x1fb4104c<br /> Call Trace:<br /> Instruction dump:<br /> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX<br /> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX<br /> Oops: Unrecoverable System Reset, sig: 6 [#1]<br /> LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries<br /> ...<br /> Supported: No, Unreleased kernel<br /> CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c<br /> NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000<br /> REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)<br /> MSR: 8000000002981000 CR: 48800002 XER: 20040020<br /> CFAR: 000000000000011c IRQMASK: 1<br /> GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc<br /> GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010<br /> GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000<br /> GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034<br /> GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008<br /> GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f<br /> GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40<br /> GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000<br /> NIP [000000001fb41050] 0x1fb41050<br /> LR [000000001fb4104c] 0x1fb4104c<br /> Call Trace:<br /> Instruction dump:<br /> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX<br /> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX<br /> ---[ end trace 3ddec07f638c34a2 ]---<br /> <br /> This happens because MSR[RI] is unset when entering RTAS but there is no<br /> valid reason to not set it here.<br /> <br /> RTAS is expected to be called with MSR[RI] as specified in PAPR+ section<br /> "7.2.1 Machine State":<br /> <br /> R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect<br /> its own critical regions from recursion by setting the MSR[RI] bit to<br /> 0 when in the critical regions.<br /> <br /> Fixing this by reviewing the way MSR is compute before calling RTAS. Now a<br /> hardcoded value meaning real <br /> ---truncated---