CVE-2023-54232

Vulnerability

The m68k architecture's 030 bus error handler in the Linux kernel incorrectly handles supervisor-mode data faults that occur at instruction addresses covered by the exception table. When __get_kernel_nofault() copies data in supervisor mode (e.g., during task backtrace via /proc/sysrq_trigger), a bus error on a NULL pointer dereference triggers the handler. The 030 handler does not attempt to handle the fault and instead sends a SIGSEGV signal or panics, ignoring the exception table check that would normally route the fault to do_page_fault(). This contrasts with the 040 and 060 handlers, which correctly call do_page_fault() regardless of supervisor mode.

Exploitation

Exploitation requires a scenario where a kernel operation in supervisor mode triggers a bus error at an address with an exception table entry. The attack surface is local, as it involves accessing /proc/sysrq_trigger to force a backtrace of a kernel task that has no associated workqueue. No authentication is needed beyond the ability to invoke SysRq triggers. The bug is triggered during normal kernel debugging or logging operations, not through a direct exploit vector.

Impact

A local attacker or system administrator can cause a denial of service by triggering an unnecessary SIGSEGV or kernel panic when attempting to log a task's backtrace. This results in a system crash or signal delivery to the current process, potentially disrupting system operations. The impact is limited to systems using the m68k 030 CPU variant.

Mitigation

The issue is patched in the Linux kernel stable tree with commit [1], which adds a check in bus_error030 to call do_page_fault() if the fault PC has an entry in the exception table. Users should update to a kernel version containing this fix.