cve/published/2023/CVE-2023-52761.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n   register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n   located using per-cpu asm macro. Computing per-cpu symbol requires\n   a temporary register. x31 is saved away into CSR_SCRATCH\n   (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack:     [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n  ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n  gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n  t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n  s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n  a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n  a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n  s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n  s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n  s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n  s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n  t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [<ffffffff80006754>] dump_backtrace+0x30/0x38\n [<ffffffff808de798>] show_stack+0x40/0x4c\n [<ffffffff808ea2a8>] dump_stack_lvl+0x44/0x5c\n [<ffffffff808ea2d8>] dump_stack+0x18/0x20\n [<ffffffff808dec06>] panic+0x126/0x2fe\n [<ffffffff800065ea>] walk_stackframe+0x0/0xf0\n [<ffffffff0163a752>] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---"
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "arch/riscv/include/asm/asm-prototypes.h",
                   "arch/riscv/include/asm/asm.h",
                   "arch/riscv/include/asm/thread_info.h",
                   "arch/riscv/kernel/asm-offsets.c",
                   "arch/riscv/kernel/entry.S",
                   "arch/riscv/kernel/traps.c"
                ],
                "versions": [
                   {
                      "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
                      "lessThan": "1493baaf09e3c1899959c8a107cd1207e16d1788",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
                      "lessThan": "eff53aea3855f71992c043cebb1c00988c17ee20",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
                      "lessThan": "be97d0db5f44c0674480cb79ac6f5b0529b84c76",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "arch/riscv/include/asm/asm-prototypes.h",
                   "arch/riscv/include/asm/asm.h",
                   "arch/riscv/include/asm/thread_info.h",
                   "arch/riscv/kernel/asm-offsets.c",
                   "arch/riscv/kernel/entry.S",
                   "arch/riscv/kernel/traps.c"
                ],
                "versions": [
                   {
                      "version": "4.15",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "4.15",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.5.13",
                      "lessThanOrEqual": "6.5.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.6.3",
                      "lessThanOrEqual": "6.6.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.7",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "4.15",
                            "versionEndExcluding": "6.5.13"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "4.15",
                            "versionEndExcluding": "6.6.3"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "4.15",
                            "versionEndExcluding": "6.7"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788"
             },
             {
                "url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20"
             },
             {
                "url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76"
             }
          ],
          "title": "riscv: VMAP_STACK overflow detection thread-safe",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2023-52761",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [<ffffffff80006754>] dump_backtrace+0x30/0x38\n [<ffffffff808de798>] show_stack+0x40/0x4c\n [<ffffffff808ea2a8>] dump_stack_lvl+0x44/0x5c\n [<ffffffff808ea2d8>] dump_stack+0x18/0x20\n [<ffffffff808dec06>] panic+0x126/0x2fe\n [<ffffffff800065ea>] walk_stackframe+0x0/0xf0\n [<ffffffff0163a752>] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---"
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"arch/riscv/include/asm/asm-prototypes.h",
	"arch/riscv/include/asm/asm.h",
	"arch/riscv/include/asm/thread_info.h",
	"arch/riscv/kernel/asm-offsets.c",
	"arch/riscv/kernel/entry.S",
	"arch/riscv/kernel/traps.c"
	],
	"versions": [
	{
	"version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
	"lessThan": "1493baaf09e3c1899959c8a107cd1207e16d1788",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
	"lessThan": "eff53aea3855f71992c043cebb1c00988c17ee20",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446",
	"lessThan": "be97d0db5f44c0674480cb79ac6f5b0529b84c76",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"arch/riscv/include/asm/asm-prototypes.h",
	"arch/riscv/include/asm/asm.h",
	"arch/riscv/include/asm/thread_info.h",
	"arch/riscv/kernel/asm-offsets.c",
	"arch/riscv/kernel/entry.S",
	"arch/riscv/kernel/traps.c"
	],
	"versions": [
	{
	"version": "4.15",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "4.15",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.5.13",
	"lessThanOrEqual": "6.5.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.6.3",
	"lessThanOrEqual": "6.6.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.7",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "4.15",
	"versionEndExcluding": "6.5.13"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "4.15",
	"versionEndExcluding": "6.6.3"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "4.15",
	"versionEndExcluding": "6.7"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788"
	},
	{
	"url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20"
	},
	{
	"url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76"
	}
	],
	"title": "riscv: VMAP_STACK overflow detection thread-safe",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2023-52761",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}