Linux Kernel PowerPC RTAS Flash Vulnerability Allowing User Copy to Flash Block Cache Objects

A vulnerability in the Linux kernel's PowerPC RTAS flash handling has been addressed. With hardened user copy enabled, using the RTAS firmware update interface to prepare a system firmware update can trigger a kernel bug. This occurs because the firmware update process attempts to copy data from user memory into objects allocated from the flash block cache, without proper safeguards for user access. The issue has been fixed by ensuring that the flash block cache is created in a way that allows safe user memory access.

Impact

The vulnerability could lead to a kernel panic, causing a denial of service by crashing the system.

Reproduction

To reproduce this vulnerability, enable the CONFIG_HARDENED_USERCOPY option in the Linux kernel. Then, use the /proc/powerpc/rtas/firmware_update interface to initiate a system firmware update. This process will attempt to copy firmware data from user memory into the flash block cache, which is not properly configured to handle user access safely. The result will be a kernel bug, indicating a user copy error.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.