CVE-2023-52761

In the Linux kernel, the following vulnerability has been resolved:

riscv: VMAP_STACK overflow detection thread-safe

commit 31da94c25aea ("riscv: add VMAPSTACK overflow detection") added support for CONFIGVMAP_STACK. If overflow is detected, CPU switches to shadow_stack temporarily before switching finally to per-cpu overflow_stack.

If two CPUs/harts are racing and end up in over flowing kernel stack, one or both will end up corrupting each other state because shadow_stack is not per-cpu. This patch optimizes per-cpu overflow stack switch by directly picking per-cpu overflow_stack and gets rid of shadow_stack.

Following are the changes in this patch

• Defines an asm macro to obtain per-cpu symbols in destination register.
• In entry.S, when overflow is detected, per-cpu overflow stack is located using per-cpu asm macro. Computing per-cpu symbol requires a temporary register. x31 is saved away into CSRSCRATCH (CSRSCRATCH is anyways zero since we're in kernel).

Please see Links for additional relevant disccussion and alternative solution.

Tested by echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT Kernel crash log below

Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT Task stack: [0xff20000010a98000..0xff20000010a9c000] Overflow stack: [0xff600001f7d98370..0xff600001f7d99370] CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34 Hardware name: riscv-virtio,qemu (DT) epc : _memset+0x60/0xfc ra : recursiveloop+0x48/0xc6 [lkdtm] epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80 gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88 t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0 s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000 a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000 a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90 s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684 s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10 s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4 t5 : ffffffff815dbab8 t6 : ff20000010a9bb48 status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f Kernel panic - not syncing: Kernel stack overflow CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34 Hardware name: riscv-virtio,qemu (DT) Call Trace: [<ffffffff80006754>] dumpbacktrace+0x30/0x38 [<ffffffff808de798>] showstack+0x40/0x4c [<ffffffff808ea2a8>] dumpstacklvl+0x44/0x5c [<ffffffff808ea2d8>] dumpstack+0x18/0x20 [<ffffffff808dec06>] panic+0x126/0x2fe [<ffffffff800065ea>] walkstackframe+0x0/0xf0 [<ffffffff0163a752>] recursive_loop+0x48/0xc6 [lkdtm] SMP: stopping secondary CPUs ---[ end Kernel panic - not syncing: Kernel stack overflow ]---