{"id":"CVE-2023-53135","summary":"riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode\n\nWhen CONFIG_FRAME_POINTER is unset, the stack unwinding function\nwalk_stackframe randomly reads the stack and then, when KASAN is enabled,\nit can lead to the following backtrace:\n\n[ 0.000000] ==================================================================\n[ 0.000000] BUG: KASAN: stack-out-of-bounds in walk_stackframe+0xa6/0x11a\n[ 0.000000] Read of size 8 at addr ffffffff81807c40 by task swapper/0\n[ 0.000000]\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-12919-g24203e6db61f #43\n[ 0.000000] Hardware name: riscv-virtio,qemu (DT)\n[ 0.000000] Call Trace:\n[ 0.000000] [\u003cffffffff80007ba8\u003e] walk_stackframe+0x0/0x11a\n[ 0.000000] [\u003cffffffff80099ecc\u003e] init_param_lock+0x26/0x2a\n[ 0.000000] [\u003cffffffff80007c4a\u003e] walk_stackframe+0xa2/0x11a\n[ 0.000000] [\u003cffffffff80c49c80\u003e] dump_stack_lvl+0x22/0x36\n[ 0.000000] [\u003cffffffff80c3783e\u003e] print_report+0x198/0x4a8\n[ 0.000000] [\u003cffffffff80099ecc\u003e] init_param_lock+0x26/0x2a\n[ 0.000000] [\u003cffffffff80007c4a\u003e] walk_stackframe+0xa2/0x11a\n[ 0.000000] [\u003cffffffff8015f68a\u003e] kasan_report+0x9a/0xc8\n[ 0.000000] [\u003cffffffff80007c4a\u003e] walk_stackframe+0xa2/0x11a\n[ 0.000000] [\u003cffffffff80007c4a\u003e] walk_stackframe+0xa2/0x11a\n[ 0.000000] [\u003cffffffff8006e99c\u003e] desc_make_final+0x80/0x84\n[ 0.000000] [\u003cffffffff8009a04e\u003e] stack_trace_save+0x88/0xa6\n[ 0.000000] [\u003cffffffff80099fc2\u003e] filter_irq_stacks+0x72/0x76\n[ 0.000000] [\u003cffffffff8006b95e\u003e] devkmsg_read+0x32a/0x32e\n[ 0.000000] [\u003cffffffff8015ec16\u003e] kasan_save_stack+0x28/0x52\n[ 0.000000] [\u003cffffffff8006e998\u003e] desc_make_final+0x7c/0x84\n[ 0.000000] [\u003cffffffff8009a04a\u003e] stack_trace_save+0x84/0xa6\n[ 0.000000] [\u003cffffffff8015ec52\u003e] kasan_set_track+0x12/0x20\n[ 0.000000] [\u003cffffffff8015f22e\u003e] __kasan_slab_alloc+0x58/0x5e\n[ 0.000000] [\u003cffffffff8015e7ea\u003e] __kmem_cache_create+0x21e/0x39a\n[ 0.000000] [\u003cffffffff80e133ac\u003e] create_boot_cache+0x70/0x9c\n[ 0.000000] [\u003cffffffff80e17ab2\u003e] kmem_cache_init+0x6c/0x11e\n[ 0.000000] [\u003cffffffff80e00fd6\u003e] mm_init+0xd8/0xfe\n[ 0.000000] [\u003cffffffff80e011d8\u003e] start_kernel+0x190/0x3ca\n[ 0.000000]\n[ 0.000000] The buggy address belongs to stack of task swapper/0\n[ 0.000000] and is located at offset 0 in frame:\n[ 0.000000] stack_trace_save+0x0/0xa6\n[ 0.000000]\n[ 0.000000] This frame has 1 object:\n[ 0.000000] [32, 56) 'c'\n[ 0.000000]\n[ 0.000000] The buggy address belongs to the physical page:\n[ 0.000000] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81a07\n[ 0.000000] flags: 0x1000(reserved|zone=0)\n[ 0.000000] raw: 0000000000001000 ff600003f1e3d150 ff600003f1e3d150 0000000000000000\n[ 0.000000] raw: 0000000000000000 0000000000000000 00000001ffffffff\n[ 0.000000] page dumped because: kasan: bad access detected\n[ 0.000000]\n[ 0.000000] Memory state around the buggy address:\n[ 0.000000] ffffffff81807b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 0.000000] ffffffff81807b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 0.000000] \u003effffffff81807c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3\n[ 0.000000] ^\n[ 0.000000] ffffffff81807c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n[ 0.000000] ffffffff81807d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 0.000000] ==================================================================\n\nFix that by using READ_ONCE_NOCHECK when reading the stack in imprecise\nmode.","modified":"2026-04-11T12:46:41.817557Z","published":"2025-05-02T15:56:08.287Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53135.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/17fa90ffba20743c946920fbb0afe160d0ead8c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/324912d6c0c4006711054d389faa2239c1655e1e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3a9418d2c93c1c86ce4d0595112d91c7a8e70c2c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3de277af481ab931fab9e295ad8762692920732a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/76950340cf03b149412fe0d5f0810e52ac1df8cb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a99a61d9e1bfca2fc37d223a6a185c0eb66aba02"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53135.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53135"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5d8544e2d0075a5f3c9a2cf27152354d54360da1"},{"fixed":"a99a61d9e1bfca2fc37d223a6a185c0eb66aba02"},{"fixed":"3de277af481ab931fab9e295ad8762692920732a"},{"fixed":"3a9418d2c93c1c86ce4d0595112d91c7a8e70c2c"},{"fixed":"324912d6c0c4006711054d389faa2239c1655e1e"},{"fixed":"17fa90ffba20743c946920fbb0afe160d0ead8c9"},{"fixed":"76950340cf03b149412fe0d5f0810e52ac1df8cb"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53135.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"5.4.237"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.103"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.20"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53135.json"}}],"schema_version":"1.7.5"}