CVE-2023-52499

2024-03-0200:00:00

ubuntu.com

linux kernel

powerpc/47x

vulnerability

syscall

eddie

kernel crash

exploit attempt

user page

instruction fetch

msr

nip

ctr

regiser values

system call entry

logic

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

In the Linux kernel, the following vulnerability has been resolved:
powerpc/47x: Fix 47x syscall return crash Eddie reported that newer kernels
were crashing during boot on his 476 FSP2 system: kernel tried to execute
user page (b7ee2000) - exploit attempt? (uid: 0) BUG: Unable to handle
kernel instruction fetch Faulting instruction address: 0xb7ee2000 Oops:
Kernel access of bad area, sig: 11 [#1] BE PAGE_SIZE=4K FSP-2 Modules
linked in: CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2
#1 Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2 NIP: b7ee2000 LR:
8c008000 CTR: 00000000 REGS: bffebd83 TRAP: 0400 Not tainted
(6.1.55-d23900f.ppcnf-fs p2) MSR: 00000030 <IR,DR> CR: 00001000 XER:
20000000 GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000
00000d12 b7ee2000 GPR08: 00000033 00000000 00000000 c139df10 48224824
1016c314 10160000 00000000 GPR16: 10160000 10160000 00000008 00000000
10160000 00000000 10160000 1017f5b0 GPR24: 1017fa50 1017f4f0 1017fa50
1017f740 1017f630 00000000 00000000 1017f4f0 NIP [b7ee2000] 0xb7ee2000 LR
[8c008000] 0x8c008000 Call Trace: Instruction dump: XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX —[ end trace
0000000000000000 ]— The problem is in ret_from_syscall where the check
for icache_44x_need_flush is done. When the flush is needed the code jumps
out-of-line to do the flush, and then intends to jump back to continue the
syscall return. However the branch back to label 1b doesn’t return to the
correct location, instead branching back just prior to the return to
userspace, causing bogus register values to be used by the rfi. The
breakage was introduced by commit 6f76a01173cc (“powerpc/syscall: implement
system call entry/exit logic in C for PPC32”) which inadvertently removed
the “1” label and reused it elsewhere. Fix it by adding named local labels
in the correct locations. Note that the return label needs to be outside
the ifdef so that CONFIG_PPC_47x=n compiles.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchlinux< anyUNKNOWN
ubuntu20.04noarchlinux< anyUNKNOWN
ubuntu22.04noarchlinux< anyUNKNOWN
ubuntu23.10noarchlinux< anyUNKNOWN
ubuntu24.04noarchlinux< anyUNKNOWN
ubuntu14.04noarchlinux< anyUNKNOWN
ubuntu16.04noarchlinux< anyUNKNOWN
ubuntu18.04noarchlinux-aws< anyUNKNOWN
ubuntu20.04noarchlinux-aws< anyUNKNOWN
ubuntu22.04noarchlinux-aws< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	linux	< any	UNKNOWN
ubuntu	20.04	noarch	linux	< any	UNKNOWN
ubuntu	22.04	noarch	linux	< any	UNKNOWN
ubuntu	23.10	noarch	linux	< any	UNKNOWN
ubuntu	24.04	noarch	linux	< any	UNKNOWN
ubuntu	14.04	noarch	linux	< any	UNKNOWN
ubuntu	16.04	noarch	linux	< any	UNKNOWN
ubuntu	18.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	20.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	22.04	noarch	linux-aws	< any	UNKNOWN