{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53487","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-01T11:39:39.402Z","datePublished":"2025-10-01T11:42:54.747Z","dateUpdated":"2026-05-11T19:45:56.368Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:45:56.368Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas_flash: allow user copy to flash block cache objects\n\nWith hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the\n/proc/powerpc/rtas/firmware_update interface to prepare a system\nfirmware update yields a BUG():\n\n  kernel BUG at mm/usercopy.c:102!\n  Oops: Exception in kernel mode, sig: 5 [#1]\n  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n  Modules linked in:\n  CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2\n  Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries\n  NIP:  c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000\n  REGS: c0000000148c76a0 TRAP: 0700   Not tainted  (6.5.0-rc3+)\n  MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 24002242  XER: 0000000c\n  CFAR: c0000000001fbd34 IRQMASK: 0\n  [ ... GPRs omitted ... ]\n  NIP usercopy_abort+0xa0/0xb0\n  LR  usercopy_abort+0x9c/0xb0\n  Call Trace:\n    usercopy_abort+0x9c/0xb0 (unreliable)\n    __check_heap_object+0x1b4/0x1d0\n    __check_object_size+0x2d0/0x380\n    rtas_flash_write+0xe4/0x250\n    proc_reg_write+0xfc/0x160\n    vfs_write+0xfc/0x4e0\n    ksys_write+0x90/0x160\n    system_call_exception+0x178/0x320\n    system_call_common+0x160/0x2c4\n\nThe blocks of the firmware image are copied directly from user memory\nto objects allocated from flash_block_cache, so flash_block_cache must\nbe created using kmem_cache_create_usercopy() to mark it safe for user\naccess.\n\n[mpe: Trim and indent oops]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/powerpc/kernel/rtas_flash.c"],"versions":[{"version":"6d07d1cd300f4c7e16005f881fea388164999cc8","lessThan":"8f09cc15dcd91d16562400c51d24c7be0d5796fa","status":"affected","versionType":"git"},{"version":"6d07d1cd300f4c7e16005f881fea388164999cc8","lessThan":"1d29e21ed09fa668416fa7721e08d451b9903485","status":"affected","versionType":"git"},{"version":"6d07d1cd300f4c7e16005f881fea388164999cc8","lessThan":"0ba7f969be599e21d4b1f1e947593de6515f4996","status":"affected","versionType":"git"},{"version":"6d07d1cd300f4c7e16005f881fea388164999cc8","lessThan":"8ef25fb13494e35c6dbe15445c7875fa92bc3e8b","status":"affected","versionType":"git"},{"version":"6d07d1cd300f4c7e16005f881fea388164999cc8","lessThan":"b8fee83aa4ed3846c7f50a0b364bc699f48d96e5","status":"affected","versionType":"git"},{"version":"6d07d1cd300f4c7e16005f881fea388164999cc8","lessThan":"6acb8a453388374fafb3c3b37534b675b2aa0ae1","status":"affected","versionType":"git"},{"version":"6d07d1cd300f4c7e16005f881fea388164999cc8","lessThan":"4f3175979e62de3b929bfa54a0db4b87d36257a7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/powerpc/kernel/rtas_flash.c"],"versions":[{"version":"4.16","status":"affected"},{"version":"0","lessThan":"4.16","status":"unaffected","versionType":"semver"},{"version":"4.19.293","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.255","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.192","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.128","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.47","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.4.12","lessThanOrEqual":"6.4.*","status":"unaffected","versionType":"semver"},{"version":"6.5","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"4.19.293"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"5.4.255"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"5.10.192"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"5.15.128"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.1.47"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.4.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.5"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8f09cc15dcd91d16562400c51d24c7be0d5796fa"},{"url":"https://git.kernel.org/stable/c/1d29e21ed09fa668416fa7721e08d451b9903485"},{"url":"https://git.kernel.org/stable/c/0ba7f969be599e21d4b1f1e947593de6515f4996"},{"url":"https://git.kernel.org/stable/c/8ef25fb13494e35c6dbe15445c7875fa92bc3e8b"},{"url":"https://git.kernel.org/stable/c/b8fee83aa4ed3846c7f50a0b364bc699f48d96e5"},{"url":"https://git.kernel.org/stable/c/6acb8a453388374fafb3c3b37534b675b2aa0ae1"},{"url":"https://git.kernel.org/stable/c/4f3175979e62de3b929bfa54a0db4b87d36257a7"}],"title":"powerpc/rtas_flash: allow user copy to flash block cache objects","x_generator":{"engine":"bippy-1.2.0"}}}}