CVE-2023-52761

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: VMAP_STACK overflow detection thread-safe<br /> <br /> commit 31da94c25aea ("riscv: add VMAP_STACK overflow detection") added<br /> support for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to<br /> `shadow_stack` temporarily before switching finally to per-cpu<br /> `overflow_stack`.<br /> <br /> If two CPUs/harts are racing and end up in over flowing kernel stack, one<br /> or both will end up corrupting each other state because `shadow_stack` is<br /> not per-cpu. This patch optimizes per-cpu overflow stack switch by<br /> directly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.<br /> <br /> Following are the changes in this patch<br /> <br /> - Defines an asm macro to obtain per-cpu symbols in destination<br /> register.<br /> - In entry.S, when overflow is detected, per-cpu overflow stack is<br /> located using per-cpu asm macro. Computing per-cpu symbol requires<br /> a temporary register. x31 is saved away into CSR_SCRATCH<br /> (CSR_SCRATCH is anyways zero since we&amp;#39;re in kernel).<br /> <br /> Please see Links for additional relevant disccussion and alternative<br /> solution.<br /> <br /> Tested by `echo EXHAUST_STACK &gt; /sys/kernel/debug/provoke-crash/DIRECT`<br /> Kernel crash log below<br /> <br /> Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT<br /> Task stack: [0xff20000010a98000..0xff20000010a9c000]<br /> Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]<br /> CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34<br /> Hardware name: riscv-virtio,qemu (DT)<br /> epc : __memset+0x60/0xfc<br /> ra : recursive_loop+0x48/0xc6 [lkdtm]<br /> epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80<br /> gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88<br /> t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0<br /> s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000<br /> a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000<br /> a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff<br /> s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90<br /> s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684<br /> s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10<br /> s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4<br /> t5 : ffffffff815dbab8 t6 : ff20000010a9bb48<br /> status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f<br /> Kernel panic - not syncing: Kernel stack overflow<br /> CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34<br /> Hardware name: riscv-virtio,qemu (DT)<br /> Call Trace:<br /> [] dump_backtrace+0x30/0x38<br /> [] show_stack+0x40/0x4c<br /> [] dump_stack_lvl+0x44/0x5c<br /> [] dump_stack+0x18/0x20<br /> [] panic+0x126/0x2fe<br /> [] walk_stackframe+0x0/0xf0<br /> [] recursive_loop+0x48/0xc6 [lkdtm]<br /> SMP: stopping secondary CPUs<br /> ---[ end Kernel panic - not syncing: Kernel stack overflow ]---