{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [] dump_backtrace+0x30/0x38\n [] show_stack+0x40/0x4c\n [] dump_stack_lvl+0x44/0x5c\n [] dump_stack+0x18/0x20\n [] panic+0x126/0x2fe\n [] walk_stackframe+0x0/0xf0\n [] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---" } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "arch/riscv/include/asm/asm-prototypes.h", "arch/riscv/include/asm/asm.h", "arch/riscv/include/asm/thread_info.h", "arch/riscv/kernel/asm-offsets.c", "arch/riscv/kernel/entry.S", "arch/riscv/kernel/traps.c" ], "versions": [ { "version": "1da177e4c3f4", "lessThan": "1493baaf09e3", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "eff53aea3855", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "be97d0db5f44", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "arch/riscv/include/asm/asm-prototypes.h", "arch/riscv/include/asm/asm.h", "arch/riscv/include/asm/thread_info.h", "arch/riscv/kernel/asm-offsets.c", "arch/riscv/kernel/entry.S", "arch/riscv/kernel/traps.c" ], "versions": [ { "version": "6.5.13", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.6.3", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.7", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788" }, { "url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20" }, { "url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76" } ], "title": "riscv: VMAP_STACK overflow detection thread-safe", "x_generator": { "engine": "bippy-a5840b7849dd" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2023-52761", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }