ghsa-hpjg-565w-prfp
Vulnerability from github
Published
2025-10-01 12:30
Modified
2025-10-01 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

powerpc/rtas_flash: allow user copy to flash block cache objects

With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the /proc/powerpc/rtas/firmware_update interface to prepare a system firmware update yields a BUG():

kernel BUG at mm/usercopy.c:102! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2 Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000 REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+) MSR: 8000000000029033 CR: 24002242 XER: 0000000c CFAR: c0000000001fbd34 IRQMASK: 0 [ ... GPRs omitted ... ] NIP usercopy_abort+0xa0/0xb0 LR usercopy_abort+0x9c/0xb0 Call Trace: usercopy_abort+0x9c/0xb0 (unreliable) __check_heap_object+0x1b4/0x1d0 __check_object_size+0x2d0/0x380 rtas_flash_write+0xe4/0x250 proc_reg_write+0xfc/0x160 vfs_write+0xfc/0x4e0 ksys_write+0x90/0x160 system_call_exception+0x178/0x320 system_call_common+0x160/0x2c4

The blocks of the firmware image are copied directly from user memory to objects allocated from flash_block_cache, so flash_block_cache must be created using kmem_cache_create_usercopy() to mark it safe for user access.

[mpe: Trim and indent oops]

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53487"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:51Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas_flash: allow user copy to flash block cache objects\n\nWith hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the\n/proc/powerpc/rtas/firmware_update interface to prepare a system\nfirmware update yields a BUG():\n\n  kernel BUG at mm/usercopy.c:102!\n  Oops: Exception in kernel mode, sig: 5 [#1]\n  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n  Modules linked in:\n  CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2\n  Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries\n  NIP:  c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000\n  REGS: c0000000148c76a0 TRAP: 0700   Not tainted  (6.5.0-rc3+)\n  MSR:  8000000000029033 \u003cSF,EE,ME,IR,DR,RI,LE\u003e  CR: 24002242  XER: 0000000c\n  CFAR: c0000000001fbd34 IRQMASK: 0\n  [ ... GPRs omitted ... ]\n  NIP usercopy_abort+0xa0/0xb0\n  LR  usercopy_abort+0x9c/0xb0\n  Call Trace:\n    usercopy_abort+0x9c/0xb0 (unreliable)\n    __check_heap_object+0x1b4/0x1d0\n    __check_object_size+0x2d0/0x380\n    rtas_flash_write+0xe4/0x250\n    proc_reg_write+0xfc/0x160\n    vfs_write+0xfc/0x4e0\n    ksys_write+0x90/0x160\n    system_call_exception+0x178/0x320\n    system_call_common+0x160/0x2c4\n\nThe blocks of the firmware image are copied directly from user memory\nto objects allocated from flash_block_cache, so flash_block_cache must\nbe created using kmem_cache_create_usercopy() to mark it safe for user\naccess.\n\n[mpe: Trim and indent oops]",
  "id": "GHSA-hpjg-565w-prfp",
  "modified": "2025-10-01T12:30:30Z",
  "published": "2025-10-01T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53487"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0ba7f969be599e21d4b1f1e947593de6515f4996"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1d29e21ed09fa668416fa7721e08d451b9903485"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f3175979e62de3b929bfa54a0db4b87d36257a7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6acb8a453388374fafb3c3b37534b675b2aa0ae1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ef25fb13494e35c6dbe15445c7875fa92bc3e8b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f09cc15dcd91d16562400c51d24c7be0d5796fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b8fee83aa4ed3846c7f50a0b364bc699f48d96e5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.