CVE-2023-52761 riscv: VMAP_STACK overflow detection thread-safe

2024-05-2115:30:47

Linux

github.com

linux kernel

vulnerability

riscv

vmap_stack

overflow

detection

thread-safe

cpu

stack

optimization

asm macro

per-cpu

kernel crash.

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

In the Linux kernel, the following vulnerability has been resolved:

riscv: VMAP_STACK overflow detection thread-safe

commit 31da94c25aea (“riscv: add VMAP_STACK overflow detection”) added
support for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to
shadow_stack temporarily before switching finally to per-cpu
overflow_stack.

If two CPUs/harts are racing and end up in over flowing kernel stack, one
or both will end up corrupting each other state because shadow_stack is
not per-cpu. This patch optimizes per-cpu overflow stack switch by
directly picking per-cpu overflow_stack and gets rid of shadow_stack.

Following are the changes in this patch

Defines an asm macro to obtain per-cpu symbols in destination
register.
In entry.S, when overflow is detected, per-cpu overflow stack is
located using per-cpu asm macro. Computing per-cpu symbol requires
a temporary register. x31 is saved away into CSR_SCRATCH
(CSR_SCRATCH is anyways zero since we’re in kernel).

Please see Links for additional relevant disccussion and alternative
solution.

Tested by echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT
Kernel crash log below

Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT
Task stack: [0xff20000010a98000…0xff20000010a9c000]
Overflow stack: [0xff600001f7d98370…0xff600001f7d99370]
CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34
Hardware name: riscv-virtio,qemu (DT)
epc : __memset+0x60/0xfc
ra : recursive_loop+0x48/0xc6 [lkdtm]
epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80
gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88
t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0
s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000
a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000
a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff
s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90
s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684
s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10
s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4
t5 : ffffffff815dbab8 t6 : ff20000010a9bb48
status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f
Kernel panic - not syncing: Kernel stack overflow
CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80006754>] dump_backtrace+0x30/0x38
[<ffffffff808de798>] show_stack+0x40/0x4c
[<ffffffff808ea2a8>] dump_stack_lvl+0x44/0x5c
[<ffffffff808ea2d8>] dump_stack+0x18/0x20
[<ffffffff808dec06>] panic+0x126/0x2fe
[<ffffffff800065ea>] walk_stackframe+0x0/0xf0
[<ffffffff0163a752>] recursive_loop+0x48/0xc6 [lkdtm]
SMP: stopping secondary CPUs
—[ end Kernel panic - not syncing: Kernel stack overflow ]—

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "1493baaf09e3",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "eff53aea3855",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "be97d0db5f44",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "arch/riscv/include/asm/asm-prototypes.h",
      "arch/riscv/include/asm/asm.h",
      "arch/riscv/include/asm/thread_info.h",
      "arch/riscv/kernel/asm-offsets.c",
      "arch/riscv/kernel/entry.S",
      "arch/riscv/kernel/traps.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "unaffected",
        "version": "6.5.13",
        "versionType": "custom",
        "lessThanOrEqual": "6.5.*"
      },
      {
        "status": "unaffected",
        "version": "6.6.3",
        "versionType": "custom",
        "lessThanOrEqual": "6.6.*"
      },
      {
        "status": "unaffected",
        "version": "6.7",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "arch/riscv/include/asm/asm-prototypes.h",
      "arch/riscv/include/asm/asm.h",
      "arch/riscv/include/asm/thread_info.h",
      "arch/riscv/kernel/asm-offsets.c",
      "arch/riscv/kernel/entry.S",
      "arch/riscv/kernel/traps.c"
    ],
    "defaultStatus": "affected"
  }
]