In the Linux kernel, the following vulnerability has been resolved: riscv:
VMAP_STACK overflow detection thread-safe commit 31da94c25aea (“riscv: add
VMAP_STACK overflow detection”) added support for CONFIG_VMAP_STACK. If
overflow is detected, CPU switches to shadow_stack
temporarily before
switching finally to per-cpu overflow_stack
. If two CPUs/harts are racing
and end up in over flowing kernel stack, one or both will end up corrupting
each other state because shadow_stack
is not per-cpu. This patch
optimizes per-cpu overflow stack switch by directly picking per-cpu
overflow_stack
and gets rid of shadow_stack
. Following are the changes
in this patch - Defines an asm macro to obtain per-cpu symbols in
destination register. - In entry.S, when overflow is detected, per-cpu
overflow stack is located using per-cpu asm macro. Computing per-cpu symbol
requires a temporary register. x31 is saved away into CSR_SCRATCH
(CSR_SCRATCH is anyways zero since we’re in kernel). Please see Links for
additional relevant disccussion and alternative solution. Tested by echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT
Kernel crash log
below Insufficient stack space to handle
exception!/debug/provoke-crash/DIRECT Task stack:
[0xff20000010a98000…0xff20000010a9c000] Overflow stack:
[0xff600001f7d98370…0xff600001f7d99370] CPU: 1 PID: 205 Comm: bash Not
tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34 Hardware name: riscv-virtio,qemu
(DT) epc : __memset+0x60/0xfc ra : recursive_loop+0x48/0xc6 [lkdtm] epc :
ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80 gp :
ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88 t1 :
000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0 s1 :
0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000 a2 :
0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000 a5 :
0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff s2 :
ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90 s5 :
ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684 s8 :
00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10 s11:
00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4 t5 :
ffffffff815dbab8 t6 : ff20000010a9bb48 status: 0000000200000120 badaddr:
ff20000010a97e88 cause: 000000000000000f Kernel panic - not syncing: Kernel
stack overflow CPU: 1 PID: 205 Comm: bash Not tainted
6.1.0-rc2-00001-g328a1f96f7b9 #34 Hardware name: riscv-virtio,qemu (DT)
Call Trace: [<ffffffff80006754>] dump_backtrace+0x30/0x38
[<ffffffff808de798>] show_stack+0x40/0x4c [<ffffffff808ea2a8>]
dump_stack_lvl+0x44/0x5c [<ffffffff808ea2d8>] dump_stack+0x18/0x20
[<ffffffff808dec06>] panic+0x126/0x2fe [<ffffffff800065ea>]
walk_stackframe+0x0/0xf0 [<ffffffff0163a752>] recursive_loop+0x48/0xc6
[lkdtm] SMP: stopping secondary CPUs —[ end Kernel panic - not syncing:
Kernel stack overflow ]—
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/be97d0db5f44c0674480cb79ac6f5b0529b84c76 (6.7-rc1)
git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788
git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76
git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20
launchpad.net/bugs/cve/CVE-2023-52761
nvd.nist.gov/vuln/detail/CVE-2023-52761
security-tracker.debian.org/tracker/CVE-2023-52761
www.cve.org/CVERecord?id=CVE-2023-52761