cve/published/2023/CVE-2023-52568.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52568: x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race

 The SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an
 enclave and set secs.epc_page to NULL. The SECS page is used for EAUG
 and ELDU in the SGX page fault handler. However, the NULL check for
 secs.epc_page is only done for ELDU, not EAUG before being used.

 Fix this by doing the same NULL check and reloading of the SECS page as
 needed for both EAUG and ELDU.

 The SECS page holds global enclave metadata. It can only be reclaimed
 when there are no other enclave pages remaining. At that point,
 virtually nothing can be done with the enclave until the SECS page is
 paged back in.

 An enclave can not run nor generate page faults without a resident SECS
 page. But it is still possible for a #PF for a non-SECS page to race
 with paging out the SECS page: when the last resident non-SECS page A
 triggers a #PF in a non-resident page B, and then page A and the SECS
 both are paged out before the #PF on B is handled.

 Hitting this bug requires that race triggered with a #PF for EAUG.
 Following is a trace when it happens.

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 RIP: 0010:sgx_encl_eaug_page+0xc7/0x210
 Call Trace:
  ? __kmem_cache_alloc_node+0x16a/0x440
  ? xa_load+0x6e/0xa0
  sgx_vma_fault+0x119/0x230
  __do_fault+0x36/0x140
  do_fault+0x12f/0x400
  __handle_mm_fault+0x728/0x1110
  handle_mm_fault+0x105/0x310
  do_user_addr_fault+0x1ee/0x750
  ? __this_cpu_preempt_check+0x13/0x20
  exc_page_fault+0x76/0x180
  asm_exc_page_fault+0x27/0x30

 The Linux kernel CVE team has assigned CVE-2023-52568 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.0 with commit 5a90d2c3f5ef87717e54572af8426aba6fdbdaa6 and fixed in 6.1.56 with commit 811ba2ef0cb6402672e64ba1419d6ef95aa3405d
 	Issue introduced in 6.0 with commit 5a90d2c3f5ef87717e54572af8426aba6fdbdaa6 and fixed in 6.5.6 with commit 1348f7f15d7c7798456856bee74a4235c2da994e
 	Issue introduced in 6.0 with commit 5a90d2c3f5ef87717e54572af8426aba6fdbdaa6 and fixed in 6.6 with commit c6c2adcba50c2622ed25ba5d5e7f05f584711358

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52568
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kernel/cpu/sgx/encl.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d
 	https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e
 	https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52568: x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race

	The SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an
	enclave and set secs.epc_page to NULL. The SECS page is used for EAUG
	and ELDU in the SGX page fault handler. However, the NULL check for
	secs.epc_page is only done for ELDU, not EAUG before being used.

	Fix this by doing the same NULL check and reloading of the SECS page as
	needed for both EAUG and ELDU.

	The SECS page holds global enclave metadata. It can only be reclaimed
	when there are no other enclave pages remaining. At that point,
	virtually nothing can be done with the enclave until the SECS page is
	paged back in.

	An enclave can not run nor generate page faults without a resident SECS
	page. But it is still possible for a #PF for a non-SECS page to race
	with paging out the SECS page: when the last resident non-SECS page A
	triggers a #PF in a non-resident page B, and then page A and the SECS
	both are paged out before the #PF on B is handled.

	Hitting this bug requires that race triggered with a #PF for EAUG.
	Following is a trace when it happens.

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	RIP: 0010:sgx_encl_eaug_page+0xc7/0x210
	Call Trace:
	? __kmem_cache_alloc_node+0x16a/0x440
	? xa_load+0x6e/0xa0
	sgx_vma_fault+0x119/0x230
	__do_fault+0x36/0x140
	do_fault+0x12f/0x400
	__handle_mm_fault+0x728/0x1110
	handle_mm_fault+0x105/0x310
	do_user_addr_fault+0x1ee/0x750
	? __this_cpu_preempt_check+0x13/0x20
	exc_page_fault+0x76/0x180
	asm_exc_page_fault+0x27/0x30

	The Linux kernel CVE team has assigned CVE-2023-52568 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.0 with commit 5a90d2c3f5ef87717e54572af8426aba6fdbdaa6 and fixed in 6.1.56 with commit 811ba2ef0cb6402672e64ba1419d6ef95aa3405d
	Issue introduced in 6.0 with commit 5a90d2c3f5ef87717e54572af8426aba6fdbdaa6 and fixed in 6.5.6 with commit 1348f7f15d7c7798456856bee74a4235c2da994e
	Issue introduced in 6.0 with commit 5a90d2c3f5ef87717e54572af8426aba6fdbdaa6 and fixed in 6.6 with commit c6c2adcba50c2622ed25ba5d5e7f05f584711358

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52568
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kernel/cpu/sgx/encl.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d
	https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e
	https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358