CVE-2023-53713

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: sme: Use STR P to clear FFR context field in streaming SVE mode<br /> <br /> The FFR is a predicate register which can vary between 16 and 256 bits<br /> in size depending upon the configured vector length. When saving the<br /> SVE state in streaming SVE mode, the FFR register is inaccessible and<br /> so commit 9f5848665788 ("arm64/sve: Make access to FFR optional") simply<br /> clears the FFR field of the in-memory context structure. Unfortunately,<br /> it achieves this using an unconditional 8-byte store and so if the SME<br /> vector length is anything other than 64 bytes in size we will either<br /> fail to clear the entire field or, worse, we will corrupt memory<br /> immediately following the structure. This has led to intermittent kfence<br /> splats in CI [1] and can trigger kmalloc Redzone corruption messages<br /> when running the &amp;#39;fp-stress&amp;#39; kselftest:<br /> <br /> | =============================================================================<br /> | BUG kmalloc-1k (Not tainted): kmalloc Redzone overwritten<br /> | -----------------------------------------------------------------------------<br /> |<br /> | 0xffff000809bf1e22-0xffff000809bf1e27 @offset=7714. First byte 0x0 instead of 0xcc<br /> | Allocated in do_sme_acc+0x9c/0x220 age=2613 cpu=1 pid=531<br /> | __kmalloc+0x8c/0xcc<br /> | do_sme_acc+0x9c/0x220<br /> | ...<br /> <br /> Replace the 8-byte store with a store of a predicate register which has<br /> been zero-initialised with PFALSE, ensuring that the entire field is<br /> cleared in memory.<br /> <br /> [1] https://lore.kernel.org/r/CA+G9fYtU7HsV0R0dp4XEH5xXHSJFw8KyDf5VQrLLfMxWfxQkag@mail.gmail.com