A flaw possibility of memory leak in the Linux Kernel found. There is no randomization of the exception stacks happening at all including boot-time randomization. These exception stacks are mapped into the kernel at the same virtual address every time. The exception stack(s) is a particularly easy target because its location can be computed based solely on CPU index and kernel version. For the CPU-entry-area, the piece of per-cpu data that is mapped into the userspace page-tables for KPTI is not subject to any randomization (irrespective of KASLR settings). The KASLR-style randomization isn't enough, because attacker probably could discover even the task stacks at least on X86 systems without KPTI with something like the prefetch timing side channel that can test for PTE existence (see reference to the prefetch.pdf). Sure, the system call stack is randomized, but that randomization happens after kernel entry and after pt_regs have been saved. It would be good if at least in the worst-case scenario of an attack against the kernel, an attacker wouldn't know fixed addresses where zeroes / kernel text pointers / other known values are stored. As result, straight forward randomization scheme that avoids duplicates to spread the existing CPUs over the available space suggested (see reference to the patch). References: https://gruss.cc/files/prefetch.pdf https://lore.kernel.org/lkml/Yz%2FmfJ1gjgshF19t@hirez.programming.kicks-ass.net/ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/mm/cpu_entry_area.c?h=v6.2-rc6&id=97e3d26b5e5f371b3ee223d94dd123e6c442ba80
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2165927]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6901 https://access.redhat.com/errata/RHSA-2023:6901
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7077 https://access.redhat.com/errata/RHSA-2023:7077
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:1188 https://access.redhat.com/errata/RHSA-2024:1188