CVE-2023-53487

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/rtas_flash: allow user copy to flash block cache objects<br /> <br /> With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the<br /> /proc/powerpc/rtas/firmware_update interface to prepare a system<br /> firmware update yields a BUG():<br /> <br /> kernel BUG at mm/usercopy.c:102!<br /> Oops: Exception in kernel mode, sig: 5 [#1]<br /> LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries<br /> Modules linked in:<br /> CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2<br /> Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries<br /> NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000<br /> REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+)<br /> MSR: 8000000000029033 CR: 24002242 XER: 0000000c<br /> CFAR: c0000000001fbd34 IRQMASK: 0<br /> [ ... GPRs omitted ... ]<br /> NIP usercopy_abort+0xa0/0xb0<br /> LR usercopy_abort+0x9c/0xb0<br /> Call Trace:<br /> usercopy_abort+0x9c/0xb0 (unreliable)<br /> __check_heap_object+0x1b4/0x1d0<br /> __check_object_size+0x2d0/0x380<br /> rtas_flash_write+0xe4/0x250<br /> proc_reg_write+0xfc/0x160<br /> vfs_write+0xfc/0x4e0<br /> ksys_write+0x90/0x160<br /> system_call_exception+0x178/0x320<br /> system_call_common+0x160/0x2c4<br /> <br /> The blocks of the firmware image are copied directly from user memory<br /> to objects allocated from flash_block_cache, so flash_block_cache must<br /> be created using kmem_cache_create_usercopy() to mark it safe for user<br /> access.<br /> <br /> [mpe: Trim and indent oops]