CVE-2023-52761

{"id": "CVE-2023-52761", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-21T16:15:15.487", "references": [{"url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [<ffffffff80006754>] dump_backtrace+0x30/0x38\n [<ffffffff808de798>] show_stack+0x40/0x4c\n [<ffffffff808ea2a8>] dump_stack_lvl+0x44/0x5c\n [<ffffffff808ea2d8>] dump_stack+0x18/0x20\n [<ffffffff808dec06>] panic+0x126/0x2fe\n [<ffffffff800065ea>] walk_stackframe+0x0/0xf0\n [<ffffffff0163a752>] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: detecci\u00f3n de desbordamiento de VMAP_STACK confirmaci\u00f3n segura para subprocesos 31da94c25aea (\"riscv: agregar detecci\u00f3n de desbordamiento de VMAP_STACK\") se agreg\u00f3 soporte para CONFIG_VMAP_STACK. Si se detecta un desbordamiento, la CPU cambia a `shadow_stack` temporalmente antes de cambiar finalmente a `overflow_stack` por CPU. Si dos CPU/harts est\u00e1n corriendo y terminan en una pila de kernel desbordada, uno o ambos terminar\u00e1n corrompiendo el estado del otro porque `shadow_stack` no es por CPU. Este parche optimiza el cambio de pila de desbordamiento por CPU seleccionando directamente `overflow_stack` por CPU y elimina `shadow_stack`. Los siguientes son los cambios en este parche: Define una macro asm para obtener s\u00edmbolos por CPU en el registro de destino. - En Entry.S, cuando se detecta un desbordamiento, la pila de desbordamiento por CPU se ubica mediante la macro ASM por CPU. Calcular el s\u00edmbolo por CPU requiere un registro temporal. x31 se guarda en CSR_SCRATCH (CSR_SCRATCH es de todos modos cero ya que estamos en el kernel). Consulte los enlaces para obtener informaci\u00f3n adicional relevante y una soluci\u00f3n alternativa. Probado por `echo EXHAUST_STACK &gt; /sys/kernel/debug/provoke-crash/DIRECT` Registro de fallas del kernel debajo \u00a1Espacio de pila insuficiente para manejar la excepci\u00f3n!/debug/provoke-crash/DIRECT Pila de tareas: [0xff20000010a98000..0xff20000010a9c000] Pila de desbordamiento: [0xff600001f7d98370..0xff600001f7d99370] CPU: 1 PID: 205 Comm: bash No contaminado 6.1.0-rc2-00001-g328a1f96f7b9 #34 Nombre de hardware: riscv-virtio,qemu (DT) epc: __memset+0x60/0x fc ra: bucle_recursivo+ 0x48/0xc6 [lkdtm] epc: ffffffff808de0e4 ra: ffffffff0163a752 sp: ff20000010a97e80 gp: ffffffff815c0330 tp: ff600000820ea280 t0: ff20000010a97e88 t1: 0000000000002e t2: 3233206874706564 s0: ff20000010a982b0 s1: 0000000000000012 a0: ff20000010a97e88 a1: 0000000000000000 a2: 000000 0000000400 a3: ff20000010a98288 a4: 0000000000000000 a5: 0000000000000000 a6: fffffffffffe43f0 a7: 00007ffffffffff s2: ff20000010a97e88 s3: ffffffff01644680 s4: ff20000010a9be90 5: ff600000842ba6c0 s6: 00aaaaaac29e42b0 s7: 00fffffff0aa3684 s8: 00aaaaaac2978040 s9: 00000000000000065 s10: 00ffffff8a7cad10 s11: ff8a76a4e0 t3: ffffffff815dbaf4 t4: ffffffff815dbaf4 t5: ffffffff815dbab8 t6 : ff20000010a9bb48 estado: 0000000200000120 badaddr: ff20000010a97e88 causa: 000000000000000f P\u00e1nico del kernel: no se sincroniza: desbordamiento de la pila del kernel CPU: 1 PID: 205 Comm: bash no contaminado 6.1.0-rc2-0000 1-g328a1f96f7b9 #34 Nombre del hardware: riscv-virtio,qemu (DT) Seguimiento de llamadas: [] dump_backtrace+0x30/0x38 [] show_stack+0x40/0x4c [] dump_stack_lvl+0x44/0x5c [] dump_stack+0x18 /0x20 [ ] panic+0x126/0x2fe [] walk_stackframe+0x0/0xf0 [] recursive_loop+0x48/0xc6 [lkdtm] SMP: deteniendo las CPU secundarias ---[ fin del p\u00e1nico del kernel - no se sincroniza: desbordamiento de la pila del kernel]- --"}], "lastModified": "2025-09-23T19:28:31.913", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF2203B2-A6C7-4371-9013-928DFFA1E4D9", "versionEndExcluding": "6.5.13", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B58252FA-A49C-411F-9B28-DC5FE44BC5A0", "versionEndExcluding": "6.6.3", "versionStartIncluding": "6.6"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}