Bug 2165926 (CVE-2023-0597)

Summary: CVE-2023-0597 kernel: x86/mm: Randomize per-cpu entry area
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, arachman, bhu, chwhite, crwood, ddepaula, debarbos, dfreiber, drow, dvlasenk, ezulian, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lveyde, lzampier, masami256, mchehab, michal.skrivanek, mperina, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, steved, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 6.2-rc1 Doc Type: If docs needed, set a value
Doc Text:
A possible unauthorized memory access flaw was found in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stack(s) or other important data. This issue could allow a local user to gain access to some important data with expected location in memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2165927, 2165931, 2165932, 2165933, 2165934, 2165935    
Bug Blocks: 2158425    

Description Alex 2023-01-31 13:46:17 UTC 
A flaw possibility of memory leak in the Linux Kernel found.
There is no randomization of the exception stacks happening at all including boot-time randomization. These exception
stacks are mapped into the kernel at the same virtual address every time.
The exception stack(s) is a particularly easy target because its location can be computed based solely on CPU index and kernel version.
For the CPU-entry-area, the piece of per-cpu data that is mapped into the userspace page-tables for KPTI is not subject to any randomization (irrespective of KASLR settings). The KASLR-style randomization isn't enough, because attacker probably could discover even the task stacks at least on X86 systems without KPTI with something like the prefetch timing side channel that can test for PTE existence (see reference to the prefetch.pdf).
Sure, the system call stack is randomized, but that randomization happens after kernel entry and after pt_regs have been saved. It would be good if at least in the worst-case scenario of an attack against the kernel, an attacker wouldn't know fixed addresses where zeroes / kernel text pointers / other known values are stored.
As result, straight forward randomization scheme that avoids duplicates to spread the existing CPUs over the available space suggested (see reference to the patch).

References:
https://gruss.cc/files/prefetch.pdf
https://lore.kernel.org/lkml/Yz%2FmfJ1gjgshF19t@hirez.programming.kicks-ass.net/
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/mm/cpu_entry_area.c?h=v6.2-rc6&id=97e3d26b5e5f371b3ee223d94dd123e6c442ba80
Comment 1 Alex 2023-01-31 13:46:51 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2165927]
Comment 11 errata-xmlrpc 2023-11-07 08:19:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583
Comment 12 errata-xmlrpc 2023-11-14 15:14:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6901 https://access.redhat.com/errata/RHSA-2023:6901
Comment 13 errata-xmlrpc 2023-11-14 15:20:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7077 https://access.redhat.com/errata/RHSA-2023:7077
Comment 16 errata-xmlrpc 2024-03-06 12:37:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1188 https://access.redhat.com/errata/RHSA-2024:1188
Comment 21 errata-xmlrpc 2024-11-26 00:47:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:10262 https://access.redhat.com/errata/RHSA-2024:10262
Comment 23 errata-xmlrpc 2024-12-04 00:16:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:10773 https://access.redhat.com/errata/RHSA-2024:10773
Comment 24 errata-xmlrpc 2024-12-04 00:42:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:10772 https://access.redhat.com/errata/RHSA-2024:10772