CVE-2023-52568

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race<br /> <br /> The SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an<br /> enclave and set secs.epc_page to NULL. The SECS page is used for EAUG<br /> and ELDU in the SGX page fault handler. However, the NULL check for<br /> secs.epc_page is only done for ELDU, not EAUG before being used.<br /> <br /> Fix this by doing the same NULL check and reloading of the SECS page as<br /> needed for both EAUG and ELDU.<br /> <br /> The SECS page holds global enclave metadata. It can only be reclaimed<br /> when there are no other enclave pages remaining. At that point,<br /> virtually nothing can be done with the enclave until the SECS page is<br /> paged back in.<br /> <br /> An enclave can not run nor generate page faults without a resident SECS<br /> page. But it is still possible for a #PF for a non-SECS page to race<br /> with paging out the SECS page: when the last resident non-SECS page A<br /> triggers a #PF in a non-resident page B, and then page A and the SECS<br /> both are paged out before the #PF on B is handled.<br /> <br /> Hitting this bug requires that race triggered with a #PF for EAUG.<br /> Following is a trace when it happens.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> RIP: 0010:sgx_encl_eaug_page+0xc7/0x210<br /> Call Trace:<br /> ? __kmem_cache_alloc_node+0x16a/0x440<br /> ? xa_load+0x6e/0xa0<br /> sgx_vma_fault+0x119/0x230<br /> __do_fault+0x36/0x140<br /> do_fault+0x12f/0x400<br /> __handle_mm_fault+0x728/0x1110<br /> handle_mm_fault+0x105/0x310<br /> do_user_addr_fault+0x1ee/0x750<br /> ? __this_cpu_preempt_check+0x13/0x20<br /> exc_page_fault+0x76/0x180<br /> asm_exc_page_fault+0x27/0x30