CVE-2023-53487

In the Linux kernel, the following vulnerability has been resolved:

powerpc/rtas_flash: allow user copy to flash block cache objects

With hardened usercopy enabled (CONFIGHARDENEDUSERCOPY=y), using the /proc/powerpc/rtas/firmware_update interface to prepare a system firmware update yields a BUG():

kernel BUG at mm/usercopy.c:102! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGESIZE=64K MMU=Hash SMP NRCPUS=2048 NUMA pSeries Modules linked in: CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2 Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860146) hv:phyp pSeries NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000 REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+) MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002242 XER: 0000000c CFAR: c0000000001fbd34 IRQMASK: 0 [ ... GPRs omitted ... ] NIP usercopyabort+0xa0/0xb0 LR usercopyabort+0x9c/0xb0 Call Trace: usercopyabort+0x9c/0xb0 (unreliable) __checkheapobject+0x1b4/0x1d0 __checkobjectsize+0x2d0/0x380 rtasflashwrite+0xe4/0x250 procregwrite+0xfc/0x160 vfswrite+0xfc/0x4e0 ksyswrite+0x90/0x160 systemcallexception+0x178/0x320 systemcallcommon+0x160/0x2c4

The blocks of the firmware image are copied directly from user memory to objects allocated from flashblockcache, so flashblockcache must be created using kmemcachecreate_usercopy() to mark it safe for user access.

[mpe: Trim and indent oops]