{"id":"CVE-2023-53487","summary":"powerpc/rtas_flash: allow user copy to flash block cache objects","details":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas_flash: allow user copy to flash block cache objects\n\nWith hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the\n/proc/powerpc/rtas/firmware_update interface to prepare a system\nfirmware update yields a BUG():\n\n  kernel BUG at mm/usercopy.c:102!\n  Oops: Exception in kernel mode, sig: 5 [#1]\n  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n  Modules linked in:\n  CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2\n  Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries\n  NIP:  c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000\n  REGS: c0000000148c76a0 TRAP: 0700   Not tainted  (6.5.0-rc3+)\n  MSR:  8000000000029033 \u003cSF,EE,ME,IR,DR,RI,LE\u003e  CR: 24002242  XER: 0000000c\n  CFAR: c0000000001fbd34 IRQMASK: 0\n  [ ... GPRs omitted ... ]\n  NIP usercopy_abort+0xa0/0xb0\n  LR  usercopy_abort+0x9c/0xb0\n  Call Trace:\n    usercopy_abort+0x9c/0xb0 (unreliable)\n    __check_heap_object+0x1b4/0x1d0\n    __check_object_size+0x2d0/0x380\n    rtas_flash_write+0xe4/0x250\n    proc_reg_write+0xfc/0x160\n    vfs_write+0xfc/0x4e0\n    ksys_write+0x90/0x160\n    system_call_exception+0x178/0x320\n    system_call_common+0x160/0x2c4\n\nThe blocks of the firmware image are copied directly from user memory\nto objects allocated from flash_block_cache, so flash_block_cache must\nbe created using kmem_cache_create_usercopy() to mark it safe for user\naccess.\n\n[mpe: Trim and indent oops]","modified":"2026-03-20T12:33:10.975437Z","published":"2025-10-01T11:42:54.747Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:3761-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53487.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0ba7f969be599e21d4b1f1e947593de6515f4996"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1d29e21ed09fa668416fa7721e08d451b9903485"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4f3175979e62de3b929bfa54a0db4b87d36257a7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6acb8a453388374fafb3c3b37534b675b2aa0ae1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8ef25fb13494e35c6dbe15445c7875fa92bc3e8b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8f09cc15dcd91d16562400c51d24c7be0d5796fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b8fee83aa4ed3846c7f50a0b364bc699f48d96e5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53487.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53487"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6d07d1cd300f4c7e16005f881fea388164999cc8"},{"fixed":"8f09cc15dcd91d16562400c51d24c7be0d5796fa"},{"fixed":"1d29e21ed09fa668416fa7721e08d451b9903485"},{"fixed":"0ba7f969be599e21d4b1f1e947593de6515f4996"},{"fixed":"8ef25fb13494e35c6dbe15445c7875fa92bc3e8b"},{"fixed":"b8fee83aa4ed3846c7f50a0b364bc699f48d96e5"},{"fixed":"6acb8a453388374fafb3c3b37534b675b2aa0ae1"},{"fixed":"4f3175979e62de3b929bfa54a0db4b87d36257a7"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53487.json"}}],"schema_version":"1.7.5"}