CVE-2022-50870

Vulnerability

Overview

CVE-2022-50870 is a denial-of-service vulnerability in the Linux kernel's powerpc architecture, specifically within the rtas_os_term() function. This function is invoked during a kernel panic to terminate the system via RTAS (Run-Time Abstraction Services). The root cause is that rtas_os_term() performs device-tree lookups under the /rtas node at panic time. These lookups acquire devtree_lock and modify local IRQ state. If a panic occurs while another context already holds devtree_lock, the function can deadlock, causing the system to hang instead of shutting down cleanly [1].

Exploitation

Context

The vulnerability is exploitable only in a scenario where the kernel panics while devtree_lock is already held. No special authentication or network access is required; an attacker who can trigger a kernel panic (e.g., through other kernel bugs or via local root access) can cause the system to hang indefinitely. Since rtas_os_term() is called in the panic path, any panic-coincident lock contention leads to this condition. The attack surface is therefore local, requiring the ability to induce a panic [1].

Impact

If successfully triggered, the attacker prevents the system from completing the panic routine, resulting in a persistent hang rather than a controlled crash or reboot. This constitutes a denial of service, as the system becomes unresponsive. The impact is limited to availability; the vulnerability does not lead to privilege escalation or information disclosure [1].

Mitigation

The fix, backported to multiple stable kernel releases, caches the necessary device-tree properties (such as "ibm,extended-os-term") during boot initialization, avoiding any device-tree lookups at panic time. The patch changes the lookup for the boolean property "ibm,extended-os-term" to use of_property_read_bool() [1]. Administrators should apply the stable kernel updates provided by their distribution to remediate this vulnerability.