{"id":"CVE-2023-52761","summary":"riscv: VMAP_STACK overflow detection thread-safe","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n   register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n   located using per-cpu asm macro. Computing per-cpu symbol requires\n   a temporary register. x31 is saved away into CSR_SCRATCH\n   (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK \u003e /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack:     [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n  ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n  gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n  t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n  s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n  a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n  a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n  s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n  s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n  s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n  s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n  t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [\u003cffffffff80006754\u003e] dump_backtrace+0x30/0x38\n [\u003cffffffff808de798\u003e] show_stack+0x40/0x4c\n [\u003cffffffff808ea2a8\u003e] dump_stack_lvl+0x44/0x5c\n [\u003cffffffff808ea2d8\u003e] dump_stack+0x18/0x20\n [\u003cffffffff808dec06\u003e] panic+0x126/0x2fe\n [\u003cffffffff800065ea\u003e] walk_stackframe+0x0/0xf0\n [\u003cffffffff0163a752\u003e] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---","modified":"2026-05-18T05:56:51.940645039Z","published":"2024-05-21T15:30:47.086Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52761.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788"},{"type":"WEB","url":"https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52761.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52761"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"76d2a0493a17d4c8ecc781366850c3c4f8e1a446"},{"fixed":"1493baaf09e3c1899959c8a107cd1207e16d1788"},{"fixed":"eff53aea3855f71992c043cebb1c00988c17ee20"},{"fixed":"be97d0db5f44c0674480cb79ac6f5b0529b84c76"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52761.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"6.5.13"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.6.0"},{"fixed":"6.6.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52761.json"}}],"schema_version":"1.7.5"}