CVE-2023-52499 Information
Description
In the Linux kernel the following vulnerability has been resolved:
powerpc/47x: Fix 47x syscall return crash
Eddie reported that newer kernels were crashing during boot on his 476 FSP2 system:
kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)
BUG: Unable to handle kernel instruction fetch
Faulting instruction address: 0xb7ee2000
Oops: Kernel access of bad area sig: 11 [1]
BE PAGE_SIZE=4K FSP-2
Modules linked in:
CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 1
Hardware name: ibmfsp2 476fpe 0x7ff520c0 FSP-2
NIP: b7ee2000 LR: 8c008000 CTR: 00000000
REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2)
MSR: 00000030
The problem is in ret_from_syscall where the check for icache_44x_need_flush is done. When the flush is needed the code jumps out-of-line to do the flush and then intends to jump back to continue the syscall return.
However the branch back to label 1b doesn’t return to the correct location instead branching back just prior to the return to userspace causing bogus register values to be used by the rfi.
The breakage was introduced by commit 6f76a01173cc (\powerpc/syscall: implement system call entry/exit logic in C for PPC32) which inadvertently removed the \1\ label and reused it elsewhere.
Fix it by adding named local labels in the correct locations. Note that the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n compiles.
Reference
https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820 https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3 https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746 https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14
Share on: