{ "threat_severity" : "Moderate", "public_date" : "2025-10-01T00:00:00Z", "bugzilla" : { "description" : "kernel: powerpc/rtas_flash: allow user copy to flash block cache objects", "id" : "2400784", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2400784" }, "cvss3" : { "cvss3_base_score" : "4.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-276", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npowerpc/rtas_flash: allow user copy to flash block cache objects\nWith hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the\n/proc/powerpc/rtas/firmware_update interface to prepare a system\nfirmware update yields a BUG():\nkernel BUG at mm/usercopy.c:102!\nOops: Exception in kernel mode, sig: 5 [#1]\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\nModules linked in:\nCPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2\nHardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries\nNIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000\nREGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+)\nMSR: 8000000000029033 CR: 24002242 XER: 0000000c\nCFAR: c0000000001fbd34 IRQMASK: 0\n[ ... GPRs omitted ... ]\nNIP usercopy_abort+0xa0/0xb0\nLR usercopy_abort+0x9c/0xb0\nCall Trace:\nusercopy_abort+0x9c/0xb0 (unreliable)\n__check_heap_object+0x1b4/0x1d0\n__check_object_size+0x2d0/0x380\nrtas_flash_write+0xe4/0x250\nproc_reg_write+0xfc/0x160\nvfs_write+0xfc/0x4e0\nksys_write+0x90/0x160\nsystem_call_exception+0x178/0x320\nsystem_call_common+0x160/0x2c4\nThe blocks of the firmware image are copied directly from user memory\nto objects allocated from flash_block_cache, so flash_block_cache must\nbe created using kmem_cache_create_usercopy() to mark it safe for user\naccess.\n[mpe: Trim and indent oops]" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53487\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53487\nhttps://lore.kernel.org/linux-cve-announce/2025100115-CVE-2023-53487-c3f7@gregkh/T" ], "name" : "CVE-2023-53487", "csaw" : false }