CVE-2023-53487

Summary

In the Linux kernel, the following vulnerability has been resolved:

powerpc/rtas_flash: allow user copy to flash block cache objects

With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the /proc/powerpc/rtas/firmware_update interface to prepare a system firmware update yields a BUG():

kernel BUG at mm/usercopy.c:102! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2 Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000 REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+) MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002242 XER: 0000000c CFAR: c0000000001fbd34 IRQMASK: 0 [ … GPRs omitted … ] NIP usercopy_abort+0xa0/0xb0 LR usercopy_abort+0x9c/0xb0 Call Trace: usercopy_abort+0x9c/0xb0 (unreliable) __check_heap_object+0x1b4/0x1d0 __check_object_size+0x2d0/0x380 rtas_flash_write+0xe4/0x250 proc_reg_write+0xfc/0x160 vfs_write+0xfc/0x4e0 ksys_write+0x90/0x160 system_call_exception+0x178/0x320 system_call_common+0x160/0x2c4

The blocks of the firmware image are copied directly from user memory to objects allocated from flash_block_cache, so flash_block_cache must be created using kmem_cache_create_usercopy() to mark it safe for user access.

[mpe: Trim and indent oops]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux6d07d1cd300f4c7e16005f881fea388164999cc8 < 8f09cc15dcd91d16562400c51d24c7be0d5796faaffected
LinuxLinux6d07d1cd300f4c7e16005f881fea388164999cc8 < 1d29e21ed09fa668416fa7721e08d451b9903485affected
LinuxLinux6d07d1cd300f4c7e16005f881fea388164999cc8 < 0ba7f969be599e21d4b1f1e947593de6515f4996affected
LinuxLinux6d07d1cd300f4c7e16005f881fea388164999cc8 < 8ef25fb13494e35c6dbe15445c7875fa92bc3e8baffected
LinuxLinux6d07d1cd300f4c7e16005f881fea388164999cc8 < b8fee83aa4ed3846c7f50a0b364bc699f48d96e5affected
LinuxLinux6d07d1cd300f4c7e16005f881fea388164999cc8 < 6acb8a453388374fafb3c3b37534b675b2aa0ae1affected
LinuxLinux6d07d1cd300f4c7e16005f881fea388164999cc8 < 4f3175979e62de3b929bfa54a0db4b87d36257a7affected
LinuxLinux4.16affected
LinuxLinux0 < 4.16unaffected
LinuxLinux4.19.293 <= 4.19.*unaffected
LinuxLinux5.4.255 <= 5.4.*unaffected
LinuxLinux5.10.192 <= 5.10.*unaffected
LinuxLinux5.15.128 <= 5.15.*unaffected
LinuxLinux6.1.47 <= 6.1.*unaffected
LinuxLinux6.4.12 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References