ghsa-7m9p-x22p-v2hg
Vulnerability from github
Published
2025-03-27 18:31
Modified
2025-04-15 15:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

riscv: kprobe: Fixup kernel panic when probing an illegal position

The kernel would panic when probed for an illegal position. eg:

(CONFIG_RISCV_ISA_C=n)

echo 'p:hello kernel_clone+0x16 a0=%a0' >> kprobe_events echo 1 > events/kprobes/hello/enable cat trace

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 CPU: 0 PID: 111 Comm: sh Not tainted 6.2.0-rc1-00027-g2d398fe49a4d #490 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x38/0x48 [] show_stack+0x50/0x68 [] dump_stack_lvl+0x60/0x84 [] dump_stack+0x20/0x30 [] panic+0x160/0x374 [] generic_handle_arch_irq+0x0/0xa8 [] sys_newstat+0x0/0x30 [] sys_clone+0x20/0x30 [] ret_from_syscall+0x0/0x4 ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 ]---

That is because the kprobe's ebreak instruction broke the kernel's original code. The user should guarantee the correction of the probe position, but it couldn't make the kernel panic.

This patch adds arch_check_kprobe in arch_prepare_kprobe to prevent an illegal position (Such as the middle of an instruction).

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-52978"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T17:15:44Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: kprobe: Fixup kernel panic when probing an illegal position\n\nThe kernel would panic when probed for an illegal position. eg:\n\n(CONFIG_RISCV_ISA_C=n)\n\necho \u0027p:hello kernel_clone+0x16 a0=%a0\u0027 \u003e\u003e kprobe_events\necho 1 \u003e events/kprobes/hello/enable\ncat trace\n\nKernel panic - not syncing: stack-protector: Kernel stack\nis corrupted in: __do_sys_newfstatat+0xb8/0xb8\nCPU: 0 PID: 111 Comm: sh Not tainted\n6.2.0-rc1-00027-g2d398fe49a4d #490\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[\u003cffffffff80007268\u003e] dump_backtrace+0x38/0x48\n[\u003cffffffff80c5e83c\u003e] show_stack+0x50/0x68\n[\u003cffffffff80c6da28\u003e] dump_stack_lvl+0x60/0x84\n[\u003cffffffff80c6da6c\u003e] dump_stack+0x20/0x30\n[\u003cffffffff80c5ecf4\u003e] panic+0x160/0x374\n[\u003cffffffff80c6db94\u003e] generic_handle_arch_irq+0x0/0xa8\n[\u003cffffffff802deeb0\u003e] sys_newstat+0x0/0x30\n[\u003cffffffff800158c0\u003e] sys_clone+0x20/0x30\n[\u003cffffffff800039e8\u003e] ret_from_syscall+0x0/0x4\n---[ end Kernel panic - not syncing: stack-protector:\nKernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 ]---\n\nThat is because the kprobe\u0027s ebreak instruction broke the kernel\u0027s\noriginal code. The user should guarantee the correction of the probe\nposition, but it couldn\u0027t make the kernel panic.\n\nThis patch adds arch_check_kprobe in arch_prepare_kprobe to prevent an\nillegal position (Such as the middle of an instruction).",
  "id": "GHSA-7m9p-x22p-v2hg",
  "modified": "2025-04-15T15:30:47Z",
  "published": "2025-03-27T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52978"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/04a73558209554da17f46490ec4faaaf1b2bab68"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12316538b1d193064109ce1a28fc9bacd43950de"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87f48c7ccc73afc78630530d9af51f458f58cab8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.