CVE-2023-52499

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/47x: Fix 47x syscall return crash<br /> <br /> Eddie reported that newer kernels were crashing during boot on his 476<br /> FSP2 system:<br /> <br /> kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)<br /> BUG: Unable to handle kernel instruction fetch<br /> Faulting instruction address: 0xb7ee2000<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> BE PAGE_SIZE=4K FSP-2<br /> Modules linked in:<br /> CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1<br /> Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2<br /> NIP:  b7ee2000 LR: 8c008000 CTR: 00000000<br /> REGS: bffebd83 TRAP: 0400   Not tainted (6.1.55-d23900f.ppcnf-fs p2)<br /> MSR:  00000030   CR: 00001000  XER: 20000000<br /> GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000<br /> GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000<br /> GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0<br /> GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0<br /> NIP [b7ee2000] 0xb7ee2000<br /> LR [8c008000] 0x8c008000<br /> Call Trace:<br /> Instruction dump:<br /> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX<br /> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> The problem is in ret_from_syscall where the check for<br /> icache_44x_need_flush is done. When the flush is needed the code jumps<br /> out-of-line to do the flush, and then intends to jump back to continue<br /> the syscall return.<br /> <br /> However the branch back to label 1b doesn&amp;#39;t return to the correct<br /> location, instead branching back just prior to the return to userspace,<br /> causing bogus register values to be used by the rfi.<br /> <br /> The breakage was introduced by commit 6f76a01173cc<br /> ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which<br /> inadvertently removed the "1" label and reused it elsewhere.<br /> <br /> Fix it by adding named local labels in the correct locations. Note that<br /> the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n<br /> compiles.