lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025091645-CVE-2023-53326-7ff5@gregkh>
Date: Tue, 16 Sep 2025 18:12:11 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53326: powerpc: Don't try to copy PPR for task with NULL pt_regs

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

powerpc: Don't try to copy PPR for task with NULL pt_regs

powerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which
from my (arguably very short) checking is not commonly done for other
archs. This is fine, except when PF_IO_WORKER's have been created and
the task does something that causes a coredump to be generated. Then we
get this crash:

  Kernel attempted to read user page (160) - exploit attempt? (uid: 1000)
  BUG: Kernel NULL pointer dereference on read at 0x00000160
  Faulting instruction address: 0xc0000000000c3a60
  Oops: Kernel access of bad area, sig: 11 [#1]
  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries
  Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod
  CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88
  Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries
  NIP:  c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0
  REGS: c0000000041833b0 TRAP: 0300   Not tainted  (6.3.0-rc2+)
  MSR:  800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 88082828  XER: 200400f8
  ...
  NIP memcpy_power7+0x200/0x7d0
  LR  ppr_get+0x64/0xb0
  Call Trace:
    ppr_get+0x40/0xb0 (unreliable)
    __regset_get+0x180/0x1f0
    regset_get_alloc+0x64/0x90
    elf_core_dump+0xb98/0x1b60
    do_coredump+0x1c34/0x24a0
    get_signal+0x71c/0x1410
    do_notify_resume+0x140/0x6f0
    interrupt_exit_user_prepare_main+0x29c/0x320
    interrupt_exit_user_prepare+0x6c/0xa0
    interrupt_return_srr_user+0x8/0x138

Because ppr_get() is trying to copy from a PF_IO_WORKER with a NULL
pt_regs.

Check for a valid pt_regs in both ppc_get/ppr_set, and return an error
if not set. The actual error value doesn't seem to be important here, so
just pick -EINVAL.

[mpe: Trim oops in change log, add Fixes & Cc stable]

The Linux kernel CVE team has assigned CVE-2023-53326 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.8 with commit fa439810cc1b3c927ec24ede17d02467e1b143a1 and fixed in 5.10.177 with commit 80a4200d51e5a7e046f4a90f5faa5bafd5a60c58
	Issue introduced in 4.8 with commit fa439810cc1b3c927ec24ede17d02467e1b143a1 and fixed in 5.15.106 with commit 7624973bc15b76d000e8e6f9b8080fcb76d36595
	Issue introduced in 4.8 with commit fa439810cc1b3c927ec24ede17d02467e1b143a1 and fixed in 6.1.23 with commit 064a1c7b0f8403260d77627e62424a72ca26cee2
	Issue introduced in 4.8 with commit fa439810cc1b3c927ec24ede17d02467e1b143a1 and fixed in 6.2.10 with commit 01849382373b867ddcbe7536b9dfa89f3bcea60e
	Issue introduced in 4.8 with commit fa439810cc1b3c927ec24ede17d02467e1b143a1 and fixed in 6.3 with commit fd7276189450110ed835eb0a334e62d2f1c4e3be

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53326
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	arch/powerpc/kernel/ptrace/ptrace-view.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/80a4200d51e5a7e046f4a90f5faa5bafd5a60c58
	https://git.kernel.org/stable/c/7624973bc15b76d000e8e6f9b8080fcb76d36595
	https://git.kernel.org/stable/c/064a1c7b0f8403260d77627e62424a72ca26cee2
	https://git.kernel.org/stable/c/01849382373b867ddcbe7536b9dfa89f3bcea60e
	https://git.kernel.org/stable/c/fd7276189450110ed835eb0a334e62d2f1c4e3be

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ