CVE-2023-53326

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc: Don&amp;#39;t try to copy PPR for task with NULL pt_regs<br /> <br /> powerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which<br /> from my (arguably very short) checking is not commonly done for other<br /> archs. This is fine, except when PF_IO_WORKER&amp;#39;s have been created and<br /> the task does something that causes a coredump to be generated. Then we<br /> get this crash:<br /> <br /> Kernel attempted to read user page (160) - exploit attempt? (uid: 1000)<br /> BUG: Kernel NULL pointer dereference on read at 0x00000160<br /> Faulting instruction address: 0xc0000000000c3a60<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries<br /> Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod<br /> CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88<br /> Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries<br /> NIP: c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0<br /> REGS: c0000000041833b0 TRAP: 0300 Not tainted (6.3.0-rc2+)<br /> MSR: 800000000280b033 CR: 88082828 XER: 200400f8<br /> ...<br /> NIP memcpy_power7+0x200/0x7d0<br /> LR ppr_get+0x64/0xb0<br /> Call Trace:<br /> ppr_get+0x40/0xb0 (unreliable)<br /> __regset_get+0x180/0x1f0<br /> regset_get_alloc+0x64/0x90<br /> elf_core_dump+0xb98/0x1b60<br /> do_coredump+0x1c34/0x24a0<br /> get_signal+0x71c/0x1410<br /> do_notify_resume+0x140/0x6f0<br /> interrupt_exit_user_prepare_main+0x29c/0x320<br /> interrupt_exit_user_prepare+0x6c/0xa0<br /> interrupt_return_srr_user+0x8/0x138<br /> <br /> Because ppr_get() is trying to copy from a PF_IO_WORKER with a NULL<br /> pt_regs.<br /> <br /> Check for a valid pt_regs in both ppc_get/ppr_set, and return an error<br /> if not set. The actual error value doesn&amp;#39;t seem to be important here, so<br /> just pick -EINVAL.<br /> <br /> [mpe: Trim oops in change log, add Fixes &amp; Cc stable]