CVE-2023-53326

MEDIUM

Linux Kernel 4.8-5.10.177 - NULL Pointer Dereference in PPR Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: powerpc: Don't try to copy PPR for task with NULL pt_regs powerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which from my (arguably very short) checking is not commonly done for other archs. This is fine, except when PF_IO_WORKER's have been created and the task does something that causes a coredump to be generated. Then we get this crash: Kernel attempted to read user page (160) - exploit attempt? (uid: 1000) BUG: Kernel NULL pointer dereference on read at 0x00000160 Faulting instruction address: 0xc0000000000c3a60 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88 Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries NIP: c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0 REGS: c0000000041833b0 TRAP: 0300 Not tainted (6.3.0-rc2+) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 88082828 XER: 200400f8 ... NIP memcpy_power7+0x200/0x7d0 LR ppr_get+0x64/0xb0 Call Trace: ppr_get+0x40/0xb0 (unreliable) __regset_get+0x180/0x1f0 regset_get_alloc+0x64/0x90 elf_core_dump+0xb98/0x1b60 do_coredump+0x1c34/0x24a0 get_signal+0x71c/0x1410 do_notify_resume+0x140/0x6f0 interrupt_exit_user_prepare_main+0x29c/0x320 interrupt_exit_user_prepare+0x6c/0xa0 interrupt_return_srr_user+0x8/0x138 Because ppr_get() is trying to copy from a PF_IO_WORKER with a NULL pt_regs. Check for a valid pt_regs in both ppc_get/ppr_set, and return an error if not set. The actual error value doesn't seem to be important here, so just pick -EINVAL. [mpe: Trim oops in change log, add Fixes & Cc stable]

References (5)

Core 5

Core References

Patch

https://git.kernel.org/stable/c/80a4200d51e5a7e046f4a90f5faa5bafd5a60c58

Patch

https://git.kernel.org/stable/c/7624973bc15b76d000e8e6f9b8080fcb76d36595

Patch

https://git.kernel.org/stable/c/064a1c7b0f8403260d77627e62424a72ca26cee2

Patch

https://git.kernel.org/stable/c/01849382373b867ddcbe7536b9dfa89f3bcea60e

Patch

https://git.kernel.org/stable/c/fd7276189450110ed835eb0a334e62d2f1c4e3be

Scores

CVSS v3 5.5

EPSS 0.0014

EPSS Percentile 3.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (14)

Linux/Linux < 4.8

Linux/Linux 4.8

Linux/Linux 5.10.177 - 5.10.*

Linux/Linux 5.15.106 - 5.15.*

Linux/Linux 6.1.23 - 6.1.*

Linux/Linux 6.2.10 - 6.2.*

Linux/Linux 6.3

Linux/Linux fa439810cc1b3c927ec24ede17d02467e1b143a1 - 01849382373b867ddcbe7536b9dfa89f3bcea60e

Linux/Linux fa439810cc1b3c927ec24ede17d02467e1b143a1 - 064a1c7b0f8403260d77627e62424a72ca26cee2

Linux/Linux fa439810cc1b3c927ec24ede17d02467e1b143a1 - 7624973bc15b76d000e8e6f9b8080fcb76d36595

... and 4 more

Published Sep 16, 2025

Tracked Since Feb 18, 2026