{
  "threat_severity" : "Moderate",
  "public_date" : "2025-02-26T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: powerpc/pseries: Fix use after free in remove_phb_dynamic()",
    "id" : "2348173",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348173"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-125",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npowerpc/pseries: Fix use after free in remove_phb_dynamic()\nIn remove_phb_dynamic() we use &phb->io_resource, after we've called\ndevice_unregister(&host_bridge->dev). But the unregister may have freed\nphb, because pcibios_free_controller_deferred() is the release function\nfor the host_bridge.\nIf there are no outstanding references when we call device_unregister()\nthen phb will be freed out from under us.\nThis has gone mainly unnoticed, but with slub_debug and page_poison\nenabled it can lead to a crash:\nPID: 7574   TASK: c0000000d492cb80  CPU: 13  COMMAND: \"drmgr\"\n#0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc\n#1 [c0000000e4f075d0] oops_end at c000000000029608\n#2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4\n#3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8\n#4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30\nData SLB Access [380] exception frame:\nR0:  c000000000167250    R1:  c0000000e4f07a00    R2:  c000000002a46100\nR3:  c000000002b39ce8    R4:  00000000000000c0    R5:  00000000000000a9\nR6:  3894674d000000c0    R7:  0000000000000000    R8:  00000000000000ff\nR9:  0000000000000100    R10: 6b6b6b6b6b6b6b6b    R11: 0000000000008000\nR12: c00000000023da80    R13: c0000009ffd38b00    R14: 0000000000000000\nR15: 000000011c87f0f0    R16: 0000000000000006    R17: 0000000000000003\nR18: 0000000000000002    R19: 0000000000000004    R20: 0000000000000005\nR21: 000000011c87ede8    R22: 000000011c87c5a8    R23: 000000011c87d3a0\nR24: 0000000000000000    R25: 0000000000000001    R26: c0000000e4f07cc8\nR27: c00000004d1cc400    R28: c0080000031d00e8    R29: c00000004d23d800\nR30: c00000004d1d2400    R31: c00000004d1d2540\nNIP: c000000000167258    MSR: 8000000000009033    OR3: c000000000e9f474\nCTR: 0000000000000000    LR:  c000000000167250    XER: 0000000020040003\nCCR: 0000000024088420    MQ:  0000000000000000    DAR: 6b6b6b6b6b6b6ba3\nDSISR: c0000000e4f07920     Syscall Result: fffffffffffffff2\n[NIP  : release_resource+56]\n[LR   : release_resource+48]\n#5 [c0000000e4f07a00] release_resource at c000000000167258  (unreliable)\n#6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648\n#7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io]\n#8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io]\n#9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c\n#10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504\n#11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868\n#12 [c0000000e4f07c70] new_sync_write at c00000000054339c\n#13 [c0000000e4f07d10] vfs_write at c000000000546624\n#14 [c0000000e4f07d60] ksys_write at c0000000005469f4\n#15 [c0000000e4f07db0] system_call_exception at c000000000030840\n#16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168\nTo avoid it, we can take a reference to the host_bridge->dev until we're\ndone using phb. Then when we drop the reference the phb will be freed." ],
  "statement" : "Bug actual only for Powerpc hardware platform. The security impact is limited, because could happen only during shutdown or disconnection of device (after device_unregister function call). Only privileged user can trigger it. For the default configuration bug doesn't lead to kernel crash, but with debugging enabled it could be.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49196\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49196\nhttps://lore.kernel.org/linux-cve-announce/2025022617-CVE-2022-49196-978c@gregkh/T" ],
  "name" : "CVE-2022-49196",
  "csaw" : false
}