CVE-2023-53487

EUVD-2025-32767
In the Linux kernel, the following vulnerability has been resolved:

powerpc/rtas_flash: allow user copy to flash block cache objects

With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the
/proc/powerpc/rtas/firmware_update interface to prepare a system
firmware update yields a BUG():

  kernel BUG at mm/usercopy.c:102!
  Oops: Exception in kernel mode, sig: 5 [#1]
  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
  Modules linked in:
  CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2
  Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries
  NIP:  c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000
  REGS: c0000000148c76a0 TRAP: 0700   Not tainted  (6.5.0-rc3+)
  MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 24002242  XER: 0000000c
  CFAR: c0000000001fbd34 IRQMASK: 0
  [ ... GPRs omitted ... ]
  NIP usercopy_abort+0xa0/0xb0
  LR  usercopy_abort+0x9c/0xb0
  Call Trace:
    usercopy_abort+0x9c/0xb0 (unreliable)
    __check_heap_object+0x1b4/0x1d0
    __check_object_size+0x2d0/0x380
    rtas_flash_write+0xe4/0x250
    proc_reg_write+0xfc/0x160
    vfs_write+0xfc/0x4e0
    ksys_write+0x90/0x160
    system_call_exception+0x178/0x320
    system_call_common+0x160/0x2c4

The blocks of the firmware image are copied directly from user memory
to objects allocated from flash_block_cache, so flash_block_cache must
be created using kmem_cache_create_usercopy() to mark it safe for user
access.

[mpe: Trim and indent oops]
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
4.16 ≤
𝑥
< 4.19.293
linuxlinux_kernel
4.20 ≤
𝑥
< 5.4.255
linuxlinux_kernel
5.5 ≤
𝑥
< 5.10.192
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.128
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.47
linuxlinux_kernel
6.2 ≤
𝑥
< 6.4.12
linuxlinux_kernel
6.5:rc1
linuxlinux_kernel
6.5:rc2
linuxlinux_kernel
6.5:rc3
linuxlinux_kernel
6.5:rc4
linuxlinux_kernel
6.5:rc5
linuxlinux_kernel
6.5:rc6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.148-1
fixed
bookworm (security)
6.1.153-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.237-1
fixed
forky
6.16.8-1
fixed
sid
6.16.9-1
fixed
trixie
6.12.43-1
fixed
trixie (security)
6.12.48-1
fixed
References
https://git.kernel.org/stable/c/0ba7f969be599e21d4b1f1e947593de6515f4996
https://git.kernel.org/stable/c/1d29e21ed09fa668416fa7721e08d451b9903485
https://git.kernel.org/stable/c/4f3175979e62de3b929bfa54a0db4b87d36257a7
https://git.kernel.org/stable/c/6acb8a453388374fafb3c3b37534b675b2aa0ae1
https://git.kernel.org/stable/c/8ef25fb13494e35c6dbe15445c7875fa92bc3e8b
https://git.kernel.org/stable/c/8f09cc15dcd91d16562400c51d24c7be0d5796fa
https://git.kernel.org/stable/c/b8fee83aa4ed3846c7f50a0b364bc699f48d96e5