cve/published/2023/CVE-2023-52761.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52761: riscv: VMAP_STACK overflow detection thread-safe

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 riscv: VMAP_STACK overflow detection thread-safe

 commit 31da94c25aea ("riscv: add VMAP_STACK overflow detection") added
 support for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to
 `shadow_stack` temporarily before switching finally to per-cpu
 `overflow_stack`.

 If two CPUs/harts are racing and end up in over flowing kernel stack, one
 or both will end up corrupting each other state because `shadow_stack` is
 not per-cpu. This patch optimizes per-cpu overflow stack switch by
 directly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.

 Following are the changes in this patch

  - Defines an asm macro to obtain per-cpu symbols in destination
    register.
  - In entry.S, when overflow is detected, per-cpu overflow stack is
    located using per-cpu asm macro. Computing per-cpu symbol requires
    a temporary register. x31 is saved away into CSR_SCRATCH
    (CSR_SCRATCH is anyways zero since we're in kernel).

 Please see Links for additional relevant disccussion and alternative
 solution.

 Tested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`
 Kernel crash log below

  Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT
  Task stack:     [0xff20000010a98000..0xff20000010a9c000]
  Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]
  CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34
  Hardware name: riscv-virtio,qemu (DT)
  epc : __memset+0x60/0xfc
   ra : recursive_loop+0x48/0xc6 [lkdtm]
  epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80
   gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88
   t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0
   s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000
   a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000
   a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff
   s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90
   s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684
   s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10
   s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4
   t5 : ffffffff815dbab8 t6 : ff20000010a9bb48
  status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f
  Kernel panic - not syncing: Kernel stack overflow
  CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34
  Hardware name: riscv-virtio,qemu (DT)
  Call Trace:
  [<ffffffff80006754>] dump_backtrace+0x30/0x38
  [<ffffffff808de798>] show_stack+0x40/0x4c
  [<ffffffff808ea2a8>] dump_stack_lvl+0x44/0x5c
  [<ffffffff808ea2d8>] dump_stack+0x18/0x20
  [<ffffffff808dec06>] panic+0x126/0x2fe
  [<ffffffff800065ea>] walk_stackframe+0x0/0xf0
  [<ffffffff0163a752>] recursive_loop+0x48/0xc6 [lkdtm]
  SMP: stopping secondary CPUs
  ---[ end Kernel panic - not syncing: Kernel stack overflow ]---

 The Linux kernel CVE team has assigned CVE-2023-52761 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.15 with commit 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 and fixed in 6.5.13 with commit 1493baaf09e3c1899959c8a107cd1207e16d1788
 	Issue introduced in 4.15 with commit 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 and fixed in 6.6.3 with commit eff53aea3855f71992c043cebb1c00988c17ee20
 	Issue introduced in 4.15 with commit 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 and fixed in 6.7 with commit be97d0db5f44c0674480cb79ac6f5b0529b84c76

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52761
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/riscv/include/asm/asm-prototypes.h
 	arch/riscv/include/asm/asm.h
 	arch/riscv/include/asm/thread_info.h
 	arch/riscv/kernel/asm-offsets.c
 	arch/riscv/kernel/entry.S
 	arch/riscv/kernel/traps.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788
 	https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20
 	https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52761: riscv: VMAP_STACK overflow detection thread-safe

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	riscv: VMAP_STACK overflow detection thread-safe

	commit 31da94c25aea ("riscv: add VMAP_STACK overflow detection") added
	support for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to
	`shadow_stack` temporarily before switching finally to per-cpu
	`overflow_stack`.

	If two CPUs/harts are racing and end up in over flowing kernel stack, one
	or both will end up corrupting each other state because `shadow_stack` is
	not per-cpu. This patch optimizes per-cpu overflow stack switch by
	directly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.

	Following are the changes in this patch

	- Defines an asm macro to obtain per-cpu symbols in destination
	register.
	- In entry.S, when overflow is detected, per-cpu overflow stack is
	located using per-cpu asm macro. Computing per-cpu symbol requires
	a temporary register. x31 is saved away into CSR_SCRATCH
	(CSR_SCRATCH is anyways zero since we're in kernel).

	Please see Links for additional relevant disccussion and alternative
	solution.

	Tested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`
	Kernel crash log below

	Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT
	Task stack: [0xff20000010a98000..0xff20000010a9c000]
	Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]
	CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34
	Hardware name: riscv-virtio,qemu (DT)
	epc : __memset+0x60/0xfc
	ra : recursive_loop+0x48/0xc6 [lkdtm]
	epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80
	gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88
	t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0
	s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000
	a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000
	a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff
	s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90
	s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684
	s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10
	s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4
	t5 : ffffffff815dbab8 t6 : ff20000010a9bb48
	status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f
	Kernel panic - not syncing: Kernel stack overflow
	CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34
	Hardware name: riscv-virtio,qemu (DT)
	Call Trace:
	[<ffffffff80006754>] dump_backtrace+0x30/0x38
	[<ffffffff808de798>] show_stack+0x40/0x4c
	[<ffffffff808ea2a8>] dump_stack_lvl+0x44/0x5c
	[<ffffffff808ea2d8>] dump_stack+0x18/0x20
	[<ffffffff808dec06>] panic+0x126/0x2fe
	[<ffffffff800065ea>] walk_stackframe+0x0/0xf0
	[<ffffffff0163a752>] recursive_loop+0x48/0xc6 [lkdtm]
	SMP: stopping secondary CPUs
	---[ end Kernel panic - not syncing: Kernel stack overflow ]---

	The Linux kernel CVE team has assigned CVE-2023-52761 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.15 with commit 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 and fixed in 6.5.13 with commit 1493baaf09e3c1899959c8a107cd1207e16d1788
	Issue introduced in 4.15 with commit 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 and fixed in 6.6.3 with commit eff53aea3855f71992c043cebb1c00988c17ee20
	Issue introduced in 4.15 with commit 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 and fixed in 6.7 with commit be97d0db5f44c0674480cb79ac6f5b0529b84c76

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52761
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/riscv/include/asm/asm-prototypes.h
	arch/riscv/include/asm/asm.h
	arch/riscv/include/asm/thread_info.h
	arch/riscv/kernel/asm-offsets.c
	arch/riscv/kernel/entry.S
	arch/riscv/kernel/traps.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788
	https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20
	https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76