Executive Summary

Informations
Name CVE-2023-52499 First vendor Publication 2024-03-02
Vendor Cve Last vendor Modification 2025-01-13

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Overall CVSS Score 5.5
Base Score 5.5 Environmental Score 5.5
impact SubScore 3.6 Temporal Score 5.5
Exploitabality Sub Score 1.8
 
Attack Vector Local Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact None
Integrity Impact None Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

In the Linux kernel, the following vulnerability has been resolved:

powerpc/47x: Fix 47x syscall return crash

Eddie reported that newer kernels were crashing during boot on his 476 FSP2 system:

kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)
BUG: Unable to handle kernel instruction fetch
Faulting instruction address: 0xb7ee2000
Oops: Kernel access of bad area, sig: 11 [#1]
BE PAGE_SIZE=4K FSP-2
Modules linked in:
CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1
Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2
NIP:Â b7ee2000 LR: 8c008000 CTR: 00000000
REGS: bffebd83 TRAP: 0400Â Â Not tainted (6.1.55-d23900f.ppcnf-fs p2)
MSR:Â 00000030 Â CR: 00001000Â XER: 20000000
GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000
GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000
GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0
GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0
NIP [b7ee2000] 0xb7ee2000
LR [8c008000] 0x8c008000
Call Trace:
Instruction dump:
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
---[ end trace 0000000000000000 ]---

The problem is in ret_from_syscall where the check for icache_44x_need_flush is done. When the flush is needed the code jumps out-of-line to do the flush, and then intends to jump back to continue the syscall return.

However the branch back to label 1b doesn't return to the correct location, instead branching back just prior to the return to userspace, causing bogus register values to be used by the rfi.

The breakage was introduced by commit 6f76a01173cc ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which inadvertently removed the "1" label and reused it elsewhere.

Fix it by adding named local labels in the correct locations. Note that the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n compiles.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52499

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 8
Os 3626

Sources (Detail)

https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820
https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746
https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3
https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
Date Informations
2025-03-29 03:30:04
  • Multiple Updates
2025-03-28 13:39:11
  • Multiple Updates
2025-03-28 03:10:09
  • Multiple Updates
2025-03-19 03:06:01
  • Multiple Updates
2025-03-18 03:18:29
  • Multiple Updates
2025-03-14 03:06:26
  • Multiple Updates
2025-02-22 03:16:21
  • Multiple Updates
2025-01-13 21:21:10
  • Multiple Updates
2024-11-25 09:26:38
  • Multiple Updates
2024-03-04 17:27:29
  • Multiple Updates
2024-03-03 00:27:24
  • First insertion