CVE-2023-52761

riscv: VMAP_STACK overflow detection thread-safe

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

riscv: VMAP_STACK overflow detection thread-safe

commit 31da94c25aea ("riscv: add VMAP_STACK overflow detection") added
support for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to
`shadow_stack` temporarily before switching finally to per-cpu
`overflow_stack`.

If two CPUs/harts are racing and end up in over flowing kernel stack, one
or both will end up corrupting each other state because `shadow_stack` is
not per-cpu. This patch optimizes per-cpu overflow stack switch by
directly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.

Following are the changes in this patch

- Defines an asm macro to obtain per-cpu symbols in destination
register.
- In entry.S, when overflow is detected, per-cpu overflow stack is
located using per-cpu asm macro. Computing per-cpu symbol requires
a temporary register. x31 is saved away into CSR_SCRATCH
(CSR_SCRATCH is anyways zero since we're in kernel).

Please see Links for additional relevant disccussion and alternative
solution.

Tested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`
Kernel crash log below

Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT
Task stack: [0xff20000010a98000..0xff20000010a9c000]
Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]
CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34
Hardware name: riscv-virtio,qemu (DT)
epc : __memset+0x60/0xfc
ra : recursive_loop+0x48/0xc6 [lkdtm]
epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80
gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88
t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0
s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000
a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000
a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff
s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90
s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684
s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10
s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4
t5 : ffffffff815dbab8 t6 : ff20000010a9bb48
status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f
Kernel panic - not syncing: Kernel stack overflow
CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80006754>] dump_backtrace+0x30/0x38
[<ffffffff808de798>] show_stack+0x40/0x4c
[<ffffffff808ea2a8>] dump_stack_lvl+0x44/0x5c
[<ffffffff808ea2d8>] dump_stack+0x18/0x20
[<ffffffff808dec06>] panic+0x126/0x2fe
[<ffffffff800065ea>] walk_stackframe+0x0/0xf0
[<ffffffff0163a752>] recursive_loop+0x48/0xc6 [lkdtm]
SMP: stopping secondary CPUs
---[ end Kernel panic - not syncing: Kernel stack overflow ]---

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: detección de desbordamiento de VMAP_STACK confirmación segura para subprocesos 31da94c25aea ("riscv: agregar detección de desbordamiento de VMAP_STACK") se agregó soporte para CONFIG_VMAP_STACK. Si se detecta un desbordamiento, la CPU cambia a `shadow_stack` temporalmente antes de cambiar finalmente a `overflow_stack` por CPU. Si dos CPU/harts están corriendo y terminan en una pila de kernel desbordada, uno o ambos terminarán corrompiendo el estado del otro porque `shadow_stack` no es por CPU. Este parche optimiza el cambio de pila de desbordamiento por CPU seleccionando directamente `overflow_stack` por CPU y elimina `shadow_stack`. Los siguientes son los cambios en este parche: Define una macro asm para obtener símbolos por CPU en el registro de destino. - En Entry.S, cuando se detecta un desbordamiento, la pila de desbordamiento por CPU se ubica mediante la macro ASM por CPU. Calcular el símbolo por CPU requiere un registro temporal. x31 se guarda en CSR_SCRATCH (CSR_SCRATCH es de todos modos cero ya que estamos en el kernel). Consulte los enlaces para obtener información adicional relevante y una solución alternativa. Probado por `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT` Registro de fallas del kernel debajo ¡Espacio de pila insuficiente para manejar la excepción!/debug/provoke-crash/DIRECT Pila de tareas: [0xff20000010a98000..0xff20000010a9c000] Pila de desbordamiento: [0xff600001f7d98370..0xff600001f7d99370] CPU: 1 PID: 205 Comm: bash No contaminado 6.1.0-rc2-00001-g328a1f96f7b9 #34 Nombre de hardware: riscv-virtio,qemu (DT) epc: __memset+0x60/0x fc ra: bucle_recursivo+ 0x48/0xc6 [lkdtm] epc: ffffffff808de0e4 ra: ffffffff0163a752 sp: ff20000010a97e80 gp: ffffffff815c0330 tp: ff600000820ea280 t0: ff20000010a97e88 t1: 0000000000002e t2: 3233206874706564 s0: ff20000010a982b0 s1: 0000000000000012 a0: ff20000010a97e88 a1: 0000000000000000 a2: 000000 0000000400 a3: ff20000010a98288 a4: 0000000000000000 a5: 0000000000000000 a6: fffffffffffe43f0 a7: 00007ffffffffff s2: ff20000010a97e88 s3: ffffffff01644680 s4: ff20000010a9be90 5: ff600000842ba6c0 s6: 00aaaaaac29e42b0 s7: 00fffffff0aa3684 s8: 00aaaaaac2978040 s9: 00000000000000065 s10: 00ffffff8a7cad10 s11: ff8a76a4e0 t3: ffffffff815dbaf4 t4: ffffffff815dbaf4 t5: ffffffff815dbab8 t6 : ff20000010a9bb48 estado: 0000000200000120 badaddr: ff20000010a97e88 causa: 000000000000000f Pánico del kernel: no se sincroniza: desbordamiento de la pila del kernel CPU: 1 PID: 205 Comm: bash no contaminado 6.1.0-rc2-0000 1-g328a1f96f7b9 #34 Nombre del hardware: riscv-virtio,qemu (DT) Seguimiento de llamadas: [] dump_backtrace+0x30/0x38 [] show_stack+0x40/0x4c [] dump_stack_lvl+0x44/0x5c [] dump_stack+0x18 /0x20 [ ] panic+0x126/0x2fe [] walk_stackframe+0x0/0xf0 [] recursive_loop+0x48/0xc6 [lkdtm] SMP: deteniendo las CPU secundarias ---[ fin del pánico del kernel - no se sincroniza: desbordamiento de la pila del kernel]- --

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788	2023-11-28
https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20	2023-11-28
https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76	2023-10-27

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.5.13 Search vendor "Linux" for product "Linux Kernel" and version " < 6.5.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.3 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.7 Search vendor "Linux" for product "Linux Kernel" and version " < 6.7"		en		Affected