cve/published/2023/CVE-2023-52995.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52995: riscv/kprobe: Fix instruction simulation of JALR

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 riscv/kprobe: Fix instruction simulation of JALR

 Set kprobe at 'jalr 1140(ra)' of vfs_write results in the following
 crash:

 [   32.092235] Unable to handle kernel access to user memory without uaccess routines at virtual address 00aaaaaad77b1170
 [   32.093115] Oops [#1]
 [   32.093251] Modules linked in:
 [   32.093626] CPU: 0 PID: 135 Comm: ftracetest Not tainted 6.2.0-rc2-00013-gb0aa5e5df0cb-dirty #16
 [   32.093985] Hardware name: riscv-virtio,qemu (DT)
 [   32.094280] epc : ksys_read+0x88/0xd6
 [   32.094855]  ra : ksys_read+0xc0/0xd6
 [   32.095016] epc : ffffffff801cda80 ra : ffffffff801cdab8 sp : ff20000000d7bdc0
 [   32.095227]  gp : ffffffff80f14000 tp : ff60000080f9cb40 t0 : ffffffff80f13e80
 [   32.095500]  t1 : ffffffff8000c29c t2 : ffffffff800dbc54 s0 : ff20000000d7be60
 [   32.095716]  s1 : 0000000000000000 a0 : ffffffff805a64ae a1 : ffffffff80a83708
 [   32.095921]  a2 : ffffffff80f160a0 a3 : 0000000000000000 a4 : f229b0afdb165300
 [   32.096171]  a5 : f229b0afdb165300 a6 : ffffffff80eeebd0 a7 : 00000000000003ff
 [   32.096411]  s2 : ff6000007ff76800 s3 : fffffffffffffff7 s4 : 00aaaaaad77b1170
 [   32.096638]  s5 : ffffffff80f160a0 s6 : ff6000007ff76800 s7 : 0000000000000030
 [   32.096865]  s8 : 00ffffffc3d97be0 s9 : 0000000000000007 s10: 00aaaaaad77c9410
 [   32.097092]  s11: 0000000000000000 t3 : ffffffff80f13e48 t4 : ffffffff8000c29c
 [   32.097317]  t5 : ffffffff8000c29c t6 : ffffffff800dbc54
 [   32.097505] status: 0000000200000120 badaddr: 00aaaaaad77b1170 cause: 000000000000000d
 [   32.098011] [<ffffffff801cdb72>] ksys_write+0x6c/0xd6
 [   32.098222] [<ffffffff801cdc06>] sys_write+0x2a/0x38
 [   32.098405] [<ffffffff80003c76>] ret_from_syscall+0x0/0x2

 Since the rs1 and rd might be the same one, such as 'jalr 1140(ra)',
 hence it requires obtaining the target address from rs1 followed by
 updating rd.

 [Palmer: Pick Guo's cleanup]

 The Linux kernel CVE team has assigned CVE-2023-52995 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit c22b0bcb1dd024cb9caad9230e3a387d8b061df5 and fixed in 5.15.91 with commit 614471b7f7cd28a2c96ab9c90b37471c82258ffb
 	Issue introduced in 5.12 with commit c22b0bcb1dd024cb9caad9230e3a387d8b061df5 and fixed in 6.1.9 with commit f4c8fc775fcbc9e9047b22671c55ca18f9a127d4
 	Issue introduced in 5.12 with commit c22b0bcb1dd024cb9caad9230e3a387d8b061df5 and fixed in 6.2 with commit ca0254998be4d74cf6add70ccfab0d2dbd362a10

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52995
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/riscv/kernel/probes/simulate-insn.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/614471b7f7cd28a2c96ab9c90b37471c82258ffb
 	https://git.kernel.org/stable/c/f4c8fc775fcbc9e9047b22671c55ca18f9a127d4
 	https://git.kernel.org/stable/c/ca0254998be4d74cf6add70ccfab0d2dbd362a10
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52995: riscv/kprobe: Fix instruction simulation of JALR

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	riscv/kprobe: Fix instruction simulation of JALR

	Set kprobe at 'jalr 1140(ra)' of vfs_write results in the following
	crash:

	[ 32.092235] Unable to handle kernel access to user memory without uaccess routines at virtual address 00aaaaaad77b1170
	[ 32.093115] Oops [#1]
	[ 32.093251] Modules linked in:
	[ 32.093626] CPU: 0 PID: 135 Comm: ftracetest Not tainted 6.2.0-rc2-00013-gb0aa5e5df0cb-dirty #16
	[ 32.093985] Hardware name: riscv-virtio,qemu (DT)
	[ 32.094280] epc : ksys_read+0x88/0xd6
	[ 32.094855] ra : ksys_read+0xc0/0xd6
	[ 32.095016] epc : ffffffff801cda80 ra : ffffffff801cdab8 sp : ff20000000d7bdc0
	[ 32.095227] gp : ffffffff80f14000 tp : ff60000080f9cb40 t0 : ffffffff80f13e80
	[ 32.095500] t1 : ffffffff8000c29c t2 : ffffffff800dbc54 s0 : ff20000000d7be60
	[ 32.095716] s1 : 0000000000000000 a0 : ffffffff805a64ae a1 : ffffffff80a83708
	[ 32.095921] a2 : ffffffff80f160a0 a3 : 0000000000000000 a4 : f229b0afdb165300
	[ 32.096171] a5 : f229b0afdb165300 a6 : ffffffff80eeebd0 a7 : 00000000000003ff
	[ 32.096411] s2 : ff6000007ff76800 s3 : fffffffffffffff7 s4 : 00aaaaaad77b1170
	[ 32.096638] s5 : ffffffff80f160a0 s6 : ff6000007ff76800 s7 : 0000000000000030
	[ 32.096865] s8 : 00ffffffc3d97be0 s9 : 0000000000000007 s10: 00aaaaaad77c9410
	[ 32.097092] s11: 0000000000000000 t3 : ffffffff80f13e48 t4 : ffffffff8000c29c
	[ 32.097317] t5 : ffffffff8000c29c t6 : ffffffff800dbc54
	[ 32.097505] status: 0000000200000120 badaddr: 00aaaaaad77b1170 cause: 000000000000000d
	[ 32.098011] [<ffffffff801cdb72>] ksys_write+0x6c/0xd6
	[ 32.098222] [<ffffffff801cdc06>] sys_write+0x2a/0x38
	[ 32.098405] [<ffffffff80003c76>] ret_from_syscall+0x0/0x2

	Since the rs1 and rd might be the same one, such as 'jalr 1140(ra)',
	hence it requires obtaining the target address from rs1 followed by
	updating rd.

	[Palmer: Pick Guo's cleanup]

	The Linux kernel CVE team has assigned CVE-2023-52995 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit c22b0bcb1dd024cb9caad9230e3a387d8b061df5 and fixed in 5.15.91 with commit 614471b7f7cd28a2c96ab9c90b37471c82258ffb
	Issue introduced in 5.12 with commit c22b0bcb1dd024cb9caad9230e3a387d8b061df5 and fixed in 6.1.9 with commit f4c8fc775fcbc9e9047b22671c55ca18f9a127d4
	Issue introduced in 5.12 with commit c22b0bcb1dd024cb9caad9230e3a387d8b061df5 and fixed in 6.2 with commit ca0254998be4d74cf6add70ccfab0d2dbd362a10

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52995
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/riscv/kernel/probes/simulate-insn.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/614471b7f7cd28a2c96ab9c90b37471c82258ffb
	https://git.kernel.org/stable/c/f4c8fc775fcbc9e9047b22671c55ca18f9a127d4
	https://git.kernel.org/stable/c/ca0254998be4d74cf6add70ccfab0d2dbd362a10