cve/published/2023/CVE-2023-53135.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-53135: riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode

 When CONFIG_FRAME_POINTER is unset, the stack unwinding function
 walk_stackframe randomly reads the stack and then, when KASAN is enabled,
 it can lead to the following backtrace:

 [    0.000000] ==================================================================
 [    0.000000] BUG: KASAN: stack-out-of-bounds in walk_stackframe+0xa6/0x11a
 [    0.000000] Read of size 8 at addr ffffffff81807c40 by task swapper/0
 [    0.000000]
 [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-12919-g24203e6db61f #43
 [    0.000000] Hardware name: riscv-virtio,qemu (DT)
 [    0.000000] Call Trace:
 [    0.000000] [<ffffffff80007ba8>] walk_stackframe+0x0/0x11a
 [    0.000000] [<ffffffff80099ecc>] init_param_lock+0x26/0x2a
 [    0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
 [    0.000000] [<ffffffff80c49c80>] dump_stack_lvl+0x22/0x36
 [    0.000000] [<ffffffff80c3783e>] print_report+0x198/0x4a8
 [    0.000000] [<ffffffff80099ecc>] init_param_lock+0x26/0x2a
 [    0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
 [    0.000000] [<ffffffff8015f68a>] kasan_report+0x9a/0xc8
 [    0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
 [    0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
 [    0.000000] [<ffffffff8006e99c>] desc_make_final+0x80/0x84
 [    0.000000] [<ffffffff8009a04e>] stack_trace_save+0x88/0xa6
 [    0.000000] [<ffffffff80099fc2>] filter_irq_stacks+0x72/0x76
 [    0.000000] [<ffffffff8006b95e>] devkmsg_read+0x32a/0x32e
 [    0.000000] [<ffffffff8015ec16>] kasan_save_stack+0x28/0x52
 [    0.000000] [<ffffffff8006e998>] desc_make_final+0x7c/0x84
 [    0.000000] [<ffffffff8009a04a>] stack_trace_save+0x84/0xa6
 [    0.000000] [<ffffffff8015ec52>] kasan_set_track+0x12/0x20
 [    0.000000] [<ffffffff8015f22e>] __kasan_slab_alloc+0x58/0x5e
 [    0.000000] [<ffffffff8015e7ea>] __kmem_cache_create+0x21e/0x39a
 [    0.000000] [<ffffffff80e133ac>] create_boot_cache+0x70/0x9c
 [    0.000000] [<ffffffff80e17ab2>] kmem_cache_init+0x6c/0x11e
 [    0.000000] [<ffffffff80e00fd6>] mm_init+0xd8/0xfe
 [    0.000000] [<ffffffff80e011d8>] start_kernel+0x190/0x3ca
 [    0.000000]
 [    0.000000] The buggy address belongs to stack of task swapper/0
 [    0.000000]  and is located at offset 0 in frame:
 [    0.000000]  stack_trace_save+0x0/0xa6
 [    0.000000]
 [    0.000000] This frame has 1 object:
 [    0.000000]  [32, 56) 'c'
 [    0.000000]
 [    0.000000] The buggy address belongs to the physical page:
 [    0.000000] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81a07
 [    0.000000] flags: 0x1000(reserved|zone=0)
 [    0.000000] raw: 0000000000001000 ff600003f1e3d150 ff600003f1e3d150 0000000000000000
 [    0.000000] raw: 0000000000000000 0000000000000000 00000001ffffffff
 [    0.000000] page dumped because: kasan: bad access detected
 [    0.000000]
 [    0.000000] Memory state around the buggy address:
 [    0.000000]  ffffffff81807b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 [    0.000000]  ffffffff81807b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 [    0.000000] >ffffffff81807c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3
 [    0.000000]                                            ^
 [    0.000000]  ffffffff81807c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 [    0.000000]  ffffffff81807d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 [    0.000000] ==================================================================

 Fix that by using READ_ONCE_NOCHECK when reading the stack in imprecise
 mode.

 The Linux kernel CVE team has assigned CVE-2023-53135 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 5.4.237 with commit a99a61d9e1bfca2fc37d223a6a185c0eb66aba02
 	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 5.10.175 with commit 3de277af481ab931fab9e295ad8762692920732a
 	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 5.15.103 with commit 3a9418d2c93c1c86ce4d0595112d91c7a8e70c2c
 	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 6.1.20 with commit 324912d6c0c4006711054d389faa2239c1655e1e
 	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 6.2.7 with commit 17fa90ffba20743c946920fbb0afe160d0ead8c9
 	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 6.3 with commit 76950340cf03b149412fe0d5f0810e52ac1df8cb

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-53135
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/riscv/kernel/stacktrace.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a99a61d9e1bfca2fc37d223a6a185c0eb66aba02
 	https://git.kernel.org/stable/c/3de277af481ab931fab9e295ad8762692920732a
 	https://git.kernel.org/stable/c/3a9418d2c93c1c86ce4d0595112d91c7a8e70c2c
 	https://git.kernel.org/stable/c/324912d6c0c4006711054d389faa2239c1655e1e
 	https://git.kernel.org/stable/c/17fa90ffba20743c946920fbb0afe160d0ead8c9
 	https://git.kernel.org/stable/c/76950340cf03b149412fe0d5f0810e52ac1df8cb
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-53135: riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode

	When CONFIG_FRAME_POINTER is unset, the stack unwinding function
	walk_stackframe randomly reads the stack and then, when KASAN is enabled,
	it can lead to the following backtrace:

	[ 0.000000] ==================================================================
	[ 0.000000] BUG: KASAN: stack-out-of-bounds in walk_stackframe+0xa6/0x11a
	[ 0.000000] Read of size 8 at addr ffffffff81807c40 by task swapper/0
	[ 0.000000]
	[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-12919-g24203e6db61f #43
	[ 0.000000] Hardware name: riscv-virtio,qemu (DT)
	[ 0.000000] Call Trace:
	[ 0.000000] [<ffffffff80007ba8>] walk_stackframe+0x0/0x11a
	[ 0.000000] [<ffffffff80099ecc>] init_param_lock+0x26/0x2a
	[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
	[ 0.000000] [<ffffffff80c49c80>] dump_stack_lvl+0x22/0x36
	[ 0.000000] [<ffffffff80c3783e>] print_report+0x198/0x4a8
	[ 0.000000] [<ffffffff80099ecc>] init_param_lock+0x26/0x2a
	[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
	[ 0.000000] [<ffffffff8015f68a>] kasan_report+0x9a/0xc8
	[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
	[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
	[ 0.000000] [<ffffffff8006e99c>] desc_make_final+0x80/0x84
	[ 0.000000] [<ffffffff8009a04e>] stack_trace_save+0x88/0xa6
	[ 0.000000] [<ffffffff80099fc2>] filter_irq_stacks+0x72/0x76
	[ 0.000000] [<ffffffff8006b95e>] devkmsg_read+0x32a/0x32e
	[ 0.000000] [<ffffffff8015ec16>] kasan_save_stack+0x28/0x52
	[ 0.000000] [<ffffffff8006e998>] desc_make_final+0x7c/0x84
	[ 0.000000] [<ffffffff8009a04a>] stack_trace_save+0x84/0xa6
	[ 0.000000] [<ffffffff8015ec52>] kasan_set_track+0x12/0x20
	[ 0.000000] [<ffffffff8015f22e>] __kasan_slab_alloc+0x58/0x5e
	[ 0.000000] [<ffffffff8015e7ea>] __kmem_cache_create+0x21e/0x39a
	[ 0.000000] [<ffffffff80e133ac>] create_boot_cache+0x70/0x9c
	[ 0.000000] [<ffffffff80e17ab2>] kmem_cache_init+0x6c/0x11e
	[ 0.000000] [<ffffffff80e00fd6>] mm_init+0xd8/0xfe
	[ 0.000000] [<ffffffff80e011d8>] start_kernel+0x190/0x3ca
	[ 0.000000]
	[ 0.000000] The buggy address belongs to stack of task swapper/0
	[ 0.000000] and is located at offset 0 in frame:
	[ 0.000000] stack_trace_save+0x0/0xa6
	[ 0.000000]
	[ 0.000000] This frame has 1 object:
	[ 0.000000] [32, 56) 'c'
	[ 0.000000]
	[ 0.000000] The buggy address belongs to the physical page:
	[ 0.000000] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81a07
	[ 0.000000] flags: 0x1000(reserved\|zone=0)
	[ 0.000000] raw: 0000000000001000 ff600003f1e3d150 ff600003f1e3d150 0000000000000000
	[ 0.000000] raw: 0000000000000000 0000000000000000 00000001ffffffff
	[ 0.000000] page dumped because: kasan: bad access detected
	[ 0.000000]
	[ 0.000000] Memory state around the buggy address:
	[ 0.000000] ffffffff81807b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	[ 0.000000] ffffffff81807b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	[ 0.000000] >ffffffff81807c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3
	[ 0.000000] ^
	[ 0.000000] ffffffff81807c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
	[ 0.000000] ffffffff81807d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	[ 0.000000] ==================================================================

	Fix that by using READ_ONCE_NOCHECK when reading the stack in imprecise
	mode.

	The Linux kernel CVE team has assigned CVE-2023-53135 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 5.4.237 with commit a99a61d9e1bfca2fc37d223a6a185c0eb66aba02
	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 5.10.175 with commit 3de277af481ab931fab9e295ad8762692920732a
	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 5.15.103 with commit 3a9418d2c93c1c86ce4d0595112d91c7a8e70c2c
	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 6.1.20 with commit 324912d6c0c4006711054d389faa2239c1655e1e
	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 6.2.7 with commit 17fa90ffba20743c946920fbb0afe160d0ead8c9
	Issue introduced in 4.15 with commit 5d8544e2d0075a5f3c9a2cf27152354d54360da1 and fixed in 6.3 with commit 76950340cf03b149412fe0d5f0810e52ac1df8cb

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53135
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/riscv/kernel/stacktrace.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a99a61d9e1bfca2fc37d223a6a185c0eb66aba02
	https://git.kernel.org/stable/c/3de277af481ab931fab9e295ad8762692920732a
	https://git.kernel.org/stable/c/3a9418d2c93c1c86ce4d0595112d91c7a8e70c2c
	https://git.kernel.org/stable/c/324912d6c0c4006711054d389faa2239c1655e1e
	https://git.kernel.org/stable/c/17fa90ffba20743c946920fbb0afe160d0ead8c9
	https://git.kernel.org/stable/c/76950340cf03b149412fe0d5f0810e52ac1df8cb