cve-2023-52761
Vulnerability from cvelistv5
Published
2024-05-21 15:30
Modified
2024-12-19 08:25
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: riscv: VMAP_STACK overflow detection thread-safe commit 31da94c25aea ("riscv: add VMAP_STACK overflow detection") added support for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to `shadow_stack` temporarily before switching finally to per-cpu `overflow_stack`. If two CPUs/harts are racing and end up in over flowing kernel stack, one or both will end up corrupting each other state because `shadow_stack` is not per-cpu. This patch optimizes per-cpu overflow stack switch by directly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`. Following are the changes in this patch - Defines an asm macro to obtain per-cpu symbols in destination register. - In entry.S, when overflow is detected, per-cpu overflow stack is located using per-cpu asm macro. Computing per-cpu symbol requires a temporary register. x31 is saved away into CSR_SCRATCH (CSR_SCRATCH is anyways zero since we're in kernel). Please see Links for additional relevant disccussion and alternative solution. Tested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT` Kernel crash log below Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT Task stack: [0xff20000010a98000..0xff20000010a9c000] Overflow stack: [0xff600001f7d98370..0xff600001f7d99370] CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34 Hardware name: riscv-virtio,qemu (DT) epc : __memset+0x60/0xfc ra : recursive_loop+0x48/0xc6 [lkdtm] epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80 gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88 t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0 s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000 a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000 a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90 s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684 s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10 s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4 t5 : ffffffff815dbab8 t6 : ff20000010a9bb48 status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f Kernel panic - not syncing: Kernel stack overflow CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34 Hardware name: riscv-virtio,qemu (DT) Call Trace: [<ffffffff80006754>] dump_backtrace+0x30/0x38 [<ffffffff808de798>] show_stack+0x40/0x4c [<ffffffff808ea2a8>] dump_stack_lvl+0x44/0x5c [<ffffffff808ea2d8>] dump_stack+0x18/0x20 [<ffffffff808dec06>] panic+0x126/0x2fe [<ffffffff800065ea>] walk_stackframe+0x0/0xf0 [<ffffffff0163a752>] recursive_loop+0x48/0xc6 [lkdtm] SMP: stopping secondary CPUs ---[ end Kernel panic - not syncing: Kernel stack overflow ]---
Impacted products
Vendor Product Version
Linux Linux Version: 4.15
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52761",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-11T15:20:22.458093Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-11T15:20:32.175Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:11:35.808Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/asm-prototypes.h",
            "arch/riscv/include/asm/asm.h",
            "arch/riscv/include/asm/thread_info.h",
            "arch/riscv/kernel/asm-offsets.c",
            "arch/riscv/kernel/entry.S",
            "arch/riscv/kernel/traps.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1493baaf09e3c1899959c8a107cd1207e16d1788",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            },
            {
              "lessThan": "eff53aea3855f71992c043cebb1c00988c17ee20",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            },
            {
              "lessThan": "be97d0db5f44c0674480cb79ac6f5b0529b84c76",
              "status": "affected",
              "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/asm-prototypes.h",
            "arch/riscv/include/asm/asm.h",
            "arch/riscv/include/asm/thread_info.h",
            "arch/riscv/kernel/asm-offsets.c",
            "arch/riscv/kernel/entry.S",
            "arch/riscv/kernel/traps.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n   register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n   located using per-cpu asm macro. Computing per-cpu symbol requires\n   a temporary register. x31 is saved away into CSR_SCRATCH\n   (CSR_SCRATCH is anyways zero since we\u0027re in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK \u003e /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack:     [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n  ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n  gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n  t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n  s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n  a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n  a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n  s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n  s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n  s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n  s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n  t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [\u003cffffffff80006754\u003e] dump_backtrace+0x30/0x38\n [\u003cffffffff808de798\u003e] show_stack+0x40/0x4c\n [\u003cffffffff808ea2a8\u003e] dump_stack_lvl+0x44/0x5c\n [\u003cffffffff808ea2d8\u003e] dump_stack+0x18/0x20\n [\u003cffffffff808dec06\u003e] panic+0x126/0x2fe\n [\u003cffffffff800065ea\u003e] walk_stackframe+0x0/0xf0\n [\u003cffffffff0163a752\u003e] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:25:11.529Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788"
        },
        {
          "url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20"
        },
        {
          "url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76"
        }
      ],
      "title": "riscv: VMAP_STACK overflow detection thread-safe",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52761",
    "datePublished": "2024-05-21T15:30:47.086Z",
    "dateReserved": "2024-05-21T15:19:24.237Z",
    "dateUpdated": "2024-12-19T08:25:11.529Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52761\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T16:15:15.487\",\"lastModified\":\"2024-11-21T08:40:31.823\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: VMAP_STACK overflow detection thread-safe\\n\\ncommit 31da94c25aea (\\\"riscv: add VMAP_STACK overflow detection\\\") added\\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\\n`shadow_stack` temporarily before switching finally to per-cpu\\n`overflow_stack`.\\n\\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\\nor both will end up corrupting each other state because `shadow_stack` is\\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\\n\\nFollowing are the changes in this patch\\n\\n - Defines an asm macro to obtain per-cpu symbols in destination\\n   register.\\n - In entry.S, when overflow is detected, per-cpu overflow stack is\\n   located using per-cpu asm macro. Computing per-cpu symbol requires\\n   a temporary register. x31 is saved away into CSR_SCRATCH\\n   (CSR_SCRATCH is anyways zero since we\u0027re in kernel).\\n\\nPlease see Links for additional relevant disccussion and alternative\\nsolution.\\n\\nTested by `echo EXHAUST_STACK \u003e /sys/kernel/debug/provoke-crash/DIRECT`\\nKernel crash log below\\n\\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\\n Task stack:     [0xff20000010a98000..0xff20000010a9c000]\\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\\n Hardware name: riscv-virtio,qemu (DT)\\n epc : __memset+0x60/0xfc\\n  ra : recursive_loop+0x48/0xc6 [lkdtm]\\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\\n  gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\\n  t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\\n  s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\\n  a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\\n  a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\\n  s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\\n  s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\\n  s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\\n  s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\\n  t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\\n Kernel panic - not syncing: Kernel stack overflow\\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\\n Hardware name: riscv-virtio,qemu (DT)\\n Call Trace:\\n [\u003cffffffff80006754\u003e] dump_backtrace+0x30/0x38\\n [\u003cffffffff808de798\u003e] show_stack+0x40/0x4c\\n [\u003cffffffff808ea2a8\u003e] dump_stack_lvl+0x44/0x5c\\n [\u003cffffffff808ea2d8\u003e] dump_stack+0x18/0x20\\n [\u003cffffffff808dec06\u003e] panic+0x126/0x2fe\\n [\u003cffffffff800065ea\u003e] walk_stackframe+0x0/0xf0\\n [\u003cffffffff0163a752\u003e] recursive_loop+0x48/0xc6 [lkdtm]\\n SMP: stopping secondary CPUs\\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: detecci\u00f3n de desbordamiento de VMAP_STACK confirmaci\u00f3n segura para subprocesos 31da94c25aea (\\\"riscv: agregar detecci\u00f3n de desbordamiento de VMAP_STACK\\\") se agreg\u00f3 soporte para CONFIG_VMAP_STACK. Si se detecta un desbordamiento, la CPU cambia a `shadow_stack` temporalmente antes de cambiar finalmente a `overflow_stack` por CPU. Si dos CPU/harts est\u00e1n corriendo y terminan en una pila de kernel desbordada, uno o ambos terminar\u00e1n corrompiendo el estado del otro porque `shadow_stack` no es por CPU. Este parche optimiza el cambio de pila de desbordamiento por CPU seleccionando directamente `overflow_stack` por CPU y elimina `shadow_stack`. Los siguientes son los cambios en este parche: Define una macro asm para obtener s\u00edmbolos por CPU en el registro de destino. - En Entry.S, cuando se detecta un desbordamiento, la pila de desbordamiento por CPU se ubica mediante la macro ASM por CPU. Calcular el s\u00edmbolo por CPU requiere un registro temporal. x31 se guarda en CSR_SCRATCH (CSR_SCRATCH es de todos modos cero ya que estamos en el kernel). Consulte los enlaces para obtener informaci\u00f3n adicional relevante y una soluci\u00f3n alternativa. Probado por `echo EXHAUST_STACK \u0026gt; /sys/kernel/debug/provoke-crash/DIRECT` Registro de fallas del kernel debajo \u00a1Espacio de pila insuficiente para manejar la excepci\u00f3n!/debug/provoke-crash/DIRECT Pila de tareas: [0xff20000010a98000..0xff20000010a9c000] Pila de desbordamiento: [0xff600001f7d98370..0xff600001f7d99370] CPU: 1 PID: 205 Comm: bash No contaminado 6.1.0-rc2-00001-g328a1f96f7b9 #34 Nombre de hardware: riscv-virtio,qemu (DT) epc: __memset+0x60/0x fc ra: bucle_recursivo+ 0x48/0xc6 [lkdtm] epc: ffffffff808de0e4 ra: ffffffff0163a752 sp: ff20000010a97e80 gp: ffffffff815c0330 tp: ff600000820ea280 t0: ff20000010a97e88 t1: 0000000000002e t2: 3233206874706564 s0: ff20000010a982b0 s1: 0000000000000012 a0: ff20000010a97e88 a1: 0000000000000000 a2: 000000 0000000400 a3: ff20000010a98288 a4: 0000000000000000 a5: 0000000000000000 a6: fffffffffffe43f0 a7: 00007ffffffffff s2: ff20000010a97e88 s3: ffffffff01644680 s4: ff20000010a9be90 5: ff600000842ba6c0 s6: 00aaaaaac29e42b0 s7: 00fffffff0aa3684 s8: 00aaaaaac2978040 s9: 00000000000000065 s10: 00ffffff8a7cad10 s11: ff8a76a4e0 t3: ffffffff815dbaf4 t4: ffffffff815dbaf4 t5: ffffffff815dbab8 t6 : ff20000010a9bb48 estado: 0000000200000120 badaddr: ff20000010a97e88 causa: 000000000000000f P\u00e1nico del kernel: no se sincroniza: desbordamiento de la pila del kernel CPU: 1 PID: 205 Comm: bash no contaminado 6.1.0-rc2-0000 1-g328a1f96f7b9 #34 Nombre del hardware: riscv-virtio,qemu (DT) Seguimiento de llamadas: [] dump_backtrace+0x30/0x38 [] show_stack+0x40/0x4c [] dump_stack_lvl+0x44/0x5c [] dump_stack+0x18 /0x20 [ ] panic+0x126/0x2fe [] walk_stackframe+0x0/0xf0 [] recursive_loop+0x48/0xc6 [lkdtm] SMP: deteniendo las CPU secundarias ---[ fin del p\u00e1nico del kernel - no se sincroniza: desbordamiento de la pila del kernel]- --\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.