CVE-2023-53024

EPSS 0.08%
Veröffentlicht 27.03.2025 16:43:49
Zuletzt bearbeitet 28.03.2025 18:11:40
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation

To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to
insufficient speculative store bypass mitigation") inserts lfence
instructions after 1) initializing a stack slot and 2) spilling a
pointer to the stack.

However, this does not cover cases where a stack slot is first
initialized with a pointer (subject to sanitization) but then
overwritten with a scalar (not subject to sanitization because
the slot was already initialized). In this case, the second write
may be subject to speculative store bypass (SSB) creating a
speculative pointer-as-scalar type confusion. This allows the
program to subsequently leak the numerical pointer value using,
for example, a branch-based cache side channel.

To fix this, also sanitize scalars if they write a stack slot
that previously contained a pointer. Assuming that pointer-spills
are only generated by LLVM on register-pressure, the performance
impact on most real-world BPF programs should be small.

The following unprivileged BPF bytecode drafts a minimal exploit
and the mitigation:

  [...]
  // r6 = 0 or 1 (skalar, unknown user input)
  // r7 = accessible ptr for side channel
  // r10 = frame pointer (fp), to be leaked
  //
  r9 = r10 # fp alias to encourage ssb
  *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked
  // lfence added here because of pointer spill to stack.
  //
  // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor
  // for no r9-r10 dependency.
  //
  *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr
  // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,
  // store may be subject to SSB
  //
  // fix: also add an lfence when the slot contained a ptr
  //
  r8 = *(u64 *)(r9 - 8)
  // r8 = architecturally a scalar, speculatively a ptr
  //
  // leak ptr using branch-based cache side channel:
  r8 &= 1 // choose bit to leak
  if r8 == 0 goto SLOW // no mispredict
  // architecturally dead code if input r6 is 0,
  // only executes speculatively iff ptr bit is 1
  r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)
SLOW:
  [...]

After running this, the program can time the access to *(r7 + 0) to
determine whether the chosen pointer bit was 0 or 1. Repeat this 64
times to recover the whole address on amd64.

In summary, sanitization can only be skipped if one scalar is
overwritten with another scalar. Scalar-confusion due to speculative
store bypass can not lead to invalid accesses because the pointer
bounds deducted during verification are enforced using branchless
logic. See 979d63d50c0c ("bpf: prevent out of bounds speculation on
pointer arithmetic") for details.

Do not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}
because speculative leaks are likely unexpected if these were enabled.
For example, leaking the address to a protected log file may be acceptable
while disabling the mitigation might unintentionally leak the address
into the cached-state of a map that is accessible to unprivileged
processes.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < aae109414a57ab4164218f36e2e4a17f027fcaaa

Version 872968502114d68c21419cf7eb5ab97717e7b803

Status affected

Version < 81b3374944d201872cfcf82730a7860f8e7c31dd

Version f5893af2704eb763eb982f01d573f5b19f06b623

Status affected

Version < da75dec7c6617bddad418159ffebcb133f008262

Version 0e9280654aa482088ee6ef3deadef331f5ac5fb0

Status affected

Version < 01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528

Version 2039f26f3aca5b0e419b98f65dd36481337b86ee

Status affected

Version < b0c89ef025562161242a7c19b213bd6b272e93df

Version 2039f26f3aca5b0e419b98f65dd36481337b86ee

Status affected

Version < e4f4db47794c9f474b184ee1418f42e6a07412b6

Version 2039f26f3aca5b0e419b98f65dd36481337b86ee

Status affected

Version 0b27bdf02c400684225ee5ee99970bcbf5082282

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 5.14

Status affected

Version < 5.14

Version 0

Status unaffected

Version <= 4.19.*

Version 4.19.272

Status unaffected

Version <= 5.4.*

Version 5.4.231

Status unaffected

Version <= 5.10.*

Version 5.10.166

Status unaffected

Version <= 5.15.*

Version 5.15.91

Status unaffected

Version <= 6.1.*

Version 6.1.9

Status unaffected

Version <= *

Version 6.2

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.23

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/aae109414a57ab4164218f36e2e4a17f027fcaaa

https://git.kernel.org/stable/c/81b3374944d201872cfcf82730a7860f8e7c31dd

https://git.kernel.org/stable/c/da75dec7c6617bddad418159ffebcb133f008262

https://git.kernel.org/stable/c/01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528

https://git.kernel.org/stable/c/b0c89ef025562161242a7c19b213bd6b272e93df

https://git.kernel.org/stable/c/e4f4db47794c9f474b184ee1418f42e6a07412b6

https://nvd.nist.gov/vuln/detail/CVE-2023-53024

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-53024

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-53024

EUVD