CVE-2023-53655

In the Linux kernel, the following vulnerability has been resolved:

rcu: Avoid stack overflow due to __rcuirqenterchecktick() being kprobe-ed

Registering a kprobe on __rcuirqenterchecktick() can cause kernel stack overflow as shown below. This issue can be reproduced by enabling CONFIGNOHZFULL and booting the kernel with argument "nohzfull=", and then giving the following commands at the shell prompt:

# cd /sys/kernel/tracing/ # echo 'p:mp1 _rcuirqenterchecktick' >> kprobeevents # echo 1 > events/kprobes/enable

This commit therefore adds _rcuirqenterchecktick() to the kprobes blacklist using NOKPROBESYMBOL().

Insufficient stack space to handle exception! ESR: 0x00000000f2000004 -- BRK (AArch64) FAR: 0x0000ffffccf3e510 Task stack: [0xffff80000ad30000..0xffff80000ad38000] IRQ stack: [0xffff800008050000..0xffff800008058000] Overflow stack: [0xffff089c36f9f310..0xffff089c36fa0310] CPU: 5 PID: 190 Comm: bash Not tainted 6.2.0-rc2-00320-g1f5abbd77e2c #19 Hardware name: linux,dummy-virt (DT) pstate: 400003c5 (nZcv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __rcuirqenterchecktick+0x0/0x1b8 lr : ctnmienter+0x11c/0x138 sp : ffff80000ad30080 x29: ffff80000ad30080 x28: ffff089c82e20000 x27: 0000000000000000 x26: 0000000000000000 x25: ffff089c02a8d100 x24: 0000000000000000 x23: 00000000400003c5 x22: 0000ffffccf3e510 x21: ffff089c36fae148 x20: ffff80000ad30120 x19: ffffa8da8fcce148 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffffa8da8e44ea6c x14: ffffa8da8e44e968 x13: ffffa8da8e03136c x12: 1fffe113804d6809 x11: ffff6113804d6809 x10: 0000000000000a60 x9 : dfff800000000000 x8 : ffff089c026b404f x7 : 00009eec7fb297f7 x6 : 0000000000000001 x5 : ffff80000ad30120 x4 : dfff800000000000 x3 : ffffa8da8e3016f4 x2 : 0000000000000003 x1 : 0000000000000000 x0 : 0000000000000000 Kernel panic - not syncing: kernel stack overflow CPU: 5 PID: 190 Comm: bash Not tainted 6.2.0-rc2-00320-g1f5abbd77e2c #19 Hardware name: linux,dummy-virt (DT) Call trace: dumpbacktrace+0xf8/0x108 showstack+0x20/0x30 dumpstacklvl+0x68/0x84 dumpstack+0x1c/0x38 panic+0x214/0x404 addtaint+0x0/0xf8 panicbadstack+0x144/0x160 handlebadstack+0x38/0x58 __bad_stack+0x78/0x7c __rcuirqenterchecktick+0x0/0x1b8 arm64enterel1dbg.isra.0+0x14/0x20 el1dbg+0x2c/0x90 el1h64synchandler+0xcc/0xe8 el1h64_sync+0x64/0x68 __rcuirqenterchecktick+0x0/0x1b8 arm64enterel1dbg.isra.0+0x14/0x20 el1dbg+0x2c/0x90 el1h64synchandler+0xcc/0xe8 el1h64_sync+0x64/0x68 __rcuirqenterchecktick+0x0/0x1b8 arm64enterel1dbg.isra.0+0x14/0x20 el1dbg+0x2c/0x90 el1h64synchandler+0xcc/0xe8 el1h64_sync+0x64/0x68 __rcuirqenterchecktick+0x0/0x1b8 [...] el1dbg+0x2c/0x90 el1h64synchandler+0xcc/0xe8 el1h64sync+0x64/0x68 __rcuirqenter_checktick+0x0/0x1b8 arm64enterel1dbg.isra.0+0x14/0x20 el1dbg+0x2c/0x90 el1h64synchandler+0xcc/0xe8 el1h64sync+0x64/0x68 __rcuirqenter_checktick+0x0/0x1b8 arm64enterel1dbg.isra.0+0x14/0x20 el1dbg+0x2c/0x90 el1h64synchandler+0xcc/0xe8 el1h64sync+0x64/0x68 __rcuirqenterchecktick+0x0/0x1b8 el1interrupt+0x28/0x60 el1h64irqhandler+0x18/0x28 el1h64irq+0x64/0x68 __ftracesetclreventnolock+0x98/0x198 __ftracesetclr_event+0x58/0x80 systemenablewrite+0x144/0x178 vfswrite+0x174/0x738 ksyswrite+0xd0/0x188 __arm64syswrite+0x4c/0x60 invokesyscall+0x64/0x180 el0svccommon.constprop.0+0x84/0x160 doel0svc+0x48/0xe8 el0svc+0x34/0xd0 el0t64synchandler+0xb8/0xc0 el0t64sync+0x190/0x194 SMP: stopping secondary CPUs Kernel Offset: 0x28da86000000 from 0xffff800008000000 PHYSOFFSET: 0xfffff76600000000 CPU features: 0x00000,01a00100,0000421b Memory Limit: none