CVE-2023-52568
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-12-19 08:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race The SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an enclave and set secs.epc_page to NULL. The SECS page is used for EAUG and ELDU in the SGX page fault handler. However, the NULL check for secs.epc_page is only done for ELDU, not EAUG before being used. Fix this by doing the same NULL check and reloading of the SECS page as needed for both EAUG and ELDU. The SECS page holds global enclave metadata. It can only be reclaimed when there are no other enclave pages remaining. At that point, virtually nothing can be done with the enclave until the SECS page is paged back in. An enclave can not run nor generate page faults without a resident SECS page. But it is still possible for a #PF for a non-SECS page to race with paging out the SECS page: when the last resident non-SECS page A triggers a #PF in a non-resident page B, and then page A and the SECS both are paged out before the #PF on B is handled. Hitting this bug requires that race triggered with a #PF for EAUG. Following is a trace when it happens. BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:sgx_encl_eaug_page+0xc7/0x210 Call Trace: ? __kmem_cache_alloc_node+0x16a/0x440 ? xa_load+0x6e/0xa0 sgx_vma_fault+0x119/0x230 __do_fault+0x36/0x140 do_fault+0x12f/0x400 __handle_mm_fault+0x728/0x1110 handle_mm_fault+0x105/0x310 do_user_addr_fault+0x1ee/0x750 ? __this_cpu_preempt_check+0x13/0x20 exc_page_fault+0x76/0x180 asm_exc_page_fault+0x27/0x30
Impacted products
Vendor Product Version
Linux Linux Version: 6.0
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52568",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-04T19:38:35.489870Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:13.348Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:20.885Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/sgx/encl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "811ba2ef0cb6402672e64ba1419d6ef95aa3405d",
              "status": "affected",
              "version": "5a90d2c3f5ef87717e54572af8426aba6fdbdaa6",
              "versionType": "git"
            },
            {
              "lessThan": "1348f7f15d7c7798456856bee74a4235c2da994e",
              "status": "affected",
              "version": "5a90d2c3f5ef87717e54572af8426aba6fdbdaa6",
              "versionType": "git"
            },
            {
              "lessThan": "c6c2adcba50c2622ed25ba5d5e7f05f584711358",
              "status": "affected",
              "version": "5a90d2c3f5ef87717e54572af8426aba6fdbdaa6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/sgx/encl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Resolves SECS reclaim vs. page fault for EAUG race\n\nThe SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an\nenclave and set secs.epc_page to NULL. The SECS page is used for EAUG\nand ELDU in the SGX page fault handler. However, the NULL check for\nsecs.epc_page is only done for ELDU, not EAUG before being used.\n\nFix this by doing the same NULL check and reloading of the SECS page as\nneeded for both EAUG and ELDU.\n\nThe SECS page holds global enclave metadata. It can only be reclaimed\nwhen there are no other enclave pages remaining. At that point,\nvirtually nothing can be done with the enclave until the SECS page is\npaged back in.\n\nAn enclave can not run nor generate page faults without a resident SECS\npage. But it is still possible for a #PF for a non-SECS page to race\nwith paging out the SECS page: when the last resident non-SECS page A\ntriggers a #PF in a non-resident page B, and then page A and the SECS\nboth are paged out before the #PF on B is handled.\n\nHitting this bug requires that race triggered with a #PF for EAUG.\nFollowing is a trace when it happens.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:sgx_encl_eaug_page+0xc7/0x210\nCall Trace:\n ? __kmem_cache_alloc_node+0x16a/0x440\n ? xa_load+0x6e/0xa0\n sgx_vma_fault+0x119/0x230\n __do_fault+0x36/0x140\n do_fault+0x12f/0x400\n __handle_mm_fault+0x728/0x1110\n handle_mm_fault+0x105/0x310\n do_user_addr_fault+0x1ee/0x750\n ? __this_cpu_preempt_check+0x13/0x20\n exc_page_fault+0x76/0x180\n asm_exc_page_fault+0x27/0x30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:21:48.492Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358"
        }
      ],
      "title": "x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52568",
    "datePublished": "2024-03-02T21:59:39.451Z",
    "dateReserved": "2024-03-02T21:55:42.567Z",
    "dateUpdated": "2024-12-19T08:21:48.492Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52568\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-02T22:15:49.120\",\"lastModified\":\"2024-12-11T16:23:49.080\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/sgx: Resolves SECS reclaim vs. page fault for EAUG race\\n\\nThe SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an\\nenclave and set secs.epc_page to NULL. The SECS page is used for EAUG\\nand ELDU in the SGX page fault handler. However, the NULL check for\\nsecs.epc_page is only done for ELDU, not EAUG before being used.\\n\\nFix this by doing the same NULL check and reloading of the SECS page as\\nneeded for both EAUG and ELDU.\\n\\nThe SECS page holds global enclave metadata. It can only be reclaimed\\nwhen there are no other enclave pages remaining. At that point,\\nvirtually nothing can be done with the enclave until the SECS page is\\npaged back in.\\n\\nAn enclave can not run nor generate page faults without a resident SECS\\npage. But it is still possible for a #PF for a non-SECS page to race\\nwith paging out the SECS page: when the last resident non-SECS page A\\ntriggers a #PF in a non-resident page B, and then page A and the SECS\\nboth are paged out before the #PF on B is handled.\\n\\nHitting this bug requires that race triggered with a #PF for EAUG.\\nFollowing is a trace when it happens.\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000000\\nRIP: 0010:sgx_encl_eaug_page+0xc7/0x210\\nCall Trace:\\n ? __kmem_cache_alloc_node+0x16a/0x440\\n ? xa_load+0x6e/0xa0\\n sgx_vma_fault+0x119/0x230\\n __do_fault+0x36/0x140\\n do_fault+0x12f/0x400\\n __handle_mm_fault+0x728/0x1110\\n handle_mm_fault+0x105/0x310\\n do_user_addr_fault+0x1ee/0x750\\n ? __this_cpu_preempt_check+0x13/0x20\\n exc_page_fault+0x76/0x180\\n asm_exc_page_fault+0x27/0x30\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/sgx: Resuelve reclamaci\u00f3n SECS versus error de p\u00e1gina para la ejecuci\u00f3n EAUG. El recuperador SGX EPC (ksgxd) puede reclamar la p\u00e1gina SECS EPC para un enclave y establecer secs.epc_page en NULL. La p\u00e1gina SECS se utiliza para EAUG y ELDU en el controlador de fallas de la p\u00e1gina SGX. Sin embargo, la verificaci\u00f3n NULL para secs.epc_page solo se realiza para ELDU, no para EAUG, antes de usarse. Solucione este problema haciendo la misma verificaci\u00f3n NULL y recargando la p\u00e1gina SECS seg\u00fan sea necesario tanto para EAUG como para ELDU. La p\u00e1gina SECS contiene metadatos del enclave global. Solo se puede reclamar cuando no quedan otras p\u00e1ginas del enclave. En ese punto, pr\u00e1cticamente no se puede hacer nada con el enclave hasta que se vuelva a paginar la p\u00e1gina SECS. Un enclave no puede ejecutarse ni generar errores de p\u00e1gina sin una p\u00e1gina SECS residente. Pero a\u00fan es posible que un #PF para una p\u00e1gina que no es SECS se compita con la paginaci\u00f3n de la p\u00e1gina SECS: cuando la \u00faltima p\u00e1gina A residente que no es SECS activa un #PF en una p\u00e1gina B no residente, y luego la p\u00e1gina A y Ambos SECS se paginan antes de que se maneje el #PF en B. Para solucionar este error es necesario que la ejecuci\u00f3n se active con un #PF para EAUG. A continuaci\u00f3n se muestra un rastro de cuando sucede. ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000000 RIP: 0010:sgx_encl_eaug_page+0xc7/0x210 Seguimiento de llamadas:? __kmem_cache_alloc_node+0x16a/0x440 ? xa_load+0x6e/0xa0 sgx_vma_fault+0x119/0x230 __do_fault+0x36/0x140 do_fault+0x12f/0x400 __handle_mm_fault+0x728/0x1110 handle_mm_fault+0x105/0x310 do_user_addr_fault+0x1ee/ 0x750? __this_cpu_preempt_check+0x13/0x20 exc_page_fault+0x76/0x180 asm_exc_page_fault+0x27/0x30\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0\",\"versionEndExcluding\":\"6.1.56\",\"matchCriteriaId\":\"88CD6F0B-B968-414C-86CA-2E442AEA0EA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.5.6\",\"matchCriteriaId\":\"870FC772-173A-4A0F-B1AF-7976AD6057D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"84267A4F-DBC2-444F-B41D-69E15E1BEC97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FB440208-241C-4246-9A83-C1715C0DAA6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.6:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DC421F1-3D5A-4BEF-BF76-4E468985D20B\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.