fkie_cve-2023-52499
Vulnerability from fkie_nvd
Published
2024-03-02 22:15
Modified
2025-01-13 18:29
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: powerpc/47x: Fix 47x syscall return crash Eddie reported that newer kernels were crashing during boot on his 476 FSP2 system: kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0) BUG: Unable to handle kernel instruction fetch Faulting instruction address: 0xb7ee2000 Oops: Kernel access of bad area, sig: 11 [#1] BE PAGE_SIZE=4K FSP-2 Modules linked in: CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1 Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2 NIP:  b7ee2000 LR: 8c008000 CTR: 00000000 REGS: bffebd83 TRAP: 0400   Not tainted (6.1.55-d23900f.ppcnf-fs p2) MSR:  00000030 <IR,DR>  CR: 00001000  XER: 20000000 GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000 GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000 GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0 GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0 NIP [b7ee2000] 0xb7ee2000 LR [8c008000] 0x8c008000 Call Trace: Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX ---[ end trace 0000000000000000 ]--- The problem is in ret_from_syscall where the check for icache_44x_need_flush is done. When the flush is needed the code jumps out-of-line to do the flush, and then intends to jump back to continue the syscall return. However the branch back to label 1b doesn't return to the correct location, instead branching back just prior to the return to userspace, causing bogus register values to be used by the rfi. The breakage was introduced by commit 6f76a01173cc ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which inadvertently removed the "1" label and reused it elsewhere. Fix it by adding named local labels in the correct locations. Note that the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n compiles.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.6
linux linux_kernel 6.6
linux linux_kernel 6.6
linux linux_kernel 6.6
linux linux_kernel 6.6


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3FF40E0-F902-4D87-83CF-2D4DEEE127FF",
              "versionEndExcluding": "5.15.137",
              "versionStartIncluding": "5.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "96EA633C-1F3E-41C5-A13A-155C55A1F273",
              "versionEndExcluding": "6.1.59",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD4E15B4-2591-4A3A-B2A2-7FEAECD5027D",
              "versionEndExcluding": "6.5.8",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "84267A4F-DBC2-444F-B41D-69E15E1BEC97",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "FB440208-241C-4246-9A83-C1715C0DAA6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "0DC421F1-3D5A-4BEF-BF76-4E468985D20B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "00AB783B-BE05-40E8-9A55-6AA457D95031",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "E7C78D0A-C4A2-4D41-B726-8979E33AD0F9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/47x: Fix 47x syscall return crash\n\nEddie reported that newer kernels were crashing during boot on his 476\nFSP2 system:\n\n  kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)\n  BUG: Unable to handle kernel instruction fetch\n  Faulting instruction address: 0xb7ee2000\n  Oops: Kernel access of bad area, sig: 11 [#1]\n  BE PAGE_SIZE=4K FSP-2\n  Modules linked in:\n  CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1\n  Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2\n  NIP:\u00a0 b7ee2000 LR: 8c008000 CTR: 00000000\n  REGS: bffebd83 TRAP: 0400\u00a0\u00a0 Not tainted (6.1.55-d23900f.ppcnf-fs p2)\n  MSR:\u00a0 00000030 \u003cIR,DR\u003e\u00a0 CR: 00001000\u00a0 XER: 20000000\n  GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000\n  GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000\n  GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0\n  GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0\n  NIP [b7ee2000] 0xb7ee2000\n  LR [8c008000] 0x8c008000\n  Call Trace:\n  Instruction dump:\n  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n  ---[ end trace 0000000000000000 ]---\n\nThe problem is in ret_from_syscall where the check for\nicache_44x_need_flush is done. When the flush is needed the code jumps\nout-of-line to do the flush, and then intends to jump back to continue\nthe syscall return.\n\nHowever the branch back to label 1b doesn\u0027t return to the correct\nlocation, instead branching back just prior to the return to userspace,\ncausing bogus register values to be used by the rfi.\n\nThe breakage was introduced by commit 6f76a01173cc\n(\"powerpc/syscall: implement system call entry/exit logic in C for PPC32\") which\ninadvertently removed the \"1\" label and reused it elsewhere.\n\nFix it by adding named local labels in the correct locations. Note that\nthe return label needs to be outside the ifdef so that CONFIG_PPC_47x=n\ncompiles."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: powerpc/47x: Se corrigi\u00f3 la falla de devoluci\u00f3n de la llamada al sistema 47x Eddie inform\u00f3 que los kernels m\u00e1s nuevos fallaban durante el arranque en su sistema 476 FSP2: el kernel intent\u00f3 ejecutar la p\u00e1gina del usuario (b7ee2000): \u00bfintento de explotaci\u00f3n? (uid: 0) ERROR: No se puede manejar la recuperaci\u00f3n de instrucciones del kernel Direcci\u00f3n de instrucci\u00f3n err\u00f3nea: 0xb7ee2000 Ups: Acceso al kernel del \u00e1rea defectuosa, firma: 11 [#1] BE PAGE_SIZE=4K FSP-2 M\u00f3dulos vinculados en: CPU: 0 PID: 61 Comm: mount No contaminado 6.1.55-d23900f.ppcnf-fsp2 #1 Nombre de hardware: ibm,fsp2 476fpe 0x7ff520c0 FSP-2 NIP: b7ee2000 LR: 8c008000 CTR: 00000000 REGS: bffebd83 TRAP: 0400 No contaminado (6.1. 55-d23900f .ppcnf-fs p2) MSR: 00000030  CR: 00001000 XER: 20000000 GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000 GPR08: 00000 033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000 GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0 GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0 NIP [b7ee2000] 0xb7ee2000 LR [8c008000] 0x8c008000 Seguimiento de llamadas: volcado de instrucciones : XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX ---[ fin de seguimiento 00000000000000000 ] --- El problema est\u00e1 en ret_from_syscall donde se realiza la verificaci\u00f3n de icache_44x_need_flush. Cuando se necesita la descarga, el c\u00f3digo salta fuera de l\u00ednea para realizar la descarga y luego intenta saltar hacia atr\u00e1s para continuar con el retorno de la llamada al sistema. Sin embargo, la bifurcaci\u00f3n de regreso a la etiqueta 1b no regresa a la ubicaci\u00f3n correcta, sino que se bifurca justo antes de regresar al espacio de usuario, lo que provoca que el rfi utilice valores de registro falsos. La falla fue introducida por el commit 6f76a01173cc (\"powerpc/syscall: implementar l\u00f3gica de entrada/salida de llamadas al sistema en C para PPC32\") que sin darse cuenta elimin\u00f3 la etiqueta \"1\" y la reutiliz\u00f3 en otro lugar. Solucionelo agregando etiquetas locales con nombre en las ubicaciones correctas. Tenga en cuenta que la etiqueta de devoluci\u00f3n debe estar fuera de ifdef para que CONFIG_PPC_47x=n se compile."
    }
  ],
  "id": "CVE-2023-52499",
  "lastModified": "2025-01-13T18:29:52.097",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-03-02T22:15:47.057",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.