CVE-2023-52995

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52995
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52995.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52995
Downstream
Published
2025-03-27T16:43:29Z
Modified
2025-10-21T15:24:56.601654Z
Summary
riscv/kprobe: Fix instruction simulation of JALR
Details

In the Linux kernel, the following vulnerability has been resolved:

riscv/kprobe: Fix instruction simulation of JALR

Set kprobe at 'jalr 1140(ra)' of vfs_write results in the following crash:

[ 32.092235] Unable to handle kernel access to user memory without uaccess routines at virtual address 00aaaaaad77b1170 [ 32.093115] Oops [#1] [ 32.093251] Modules linked in: [ 32.093626] CPU: 0 PID: 135 Comm: ftracetest Not tainted 6.2.0-rc2-00013-gb0aa5e5df0cb-dirty #16 [ 32.093985] Hardware name: riscv-virtio,qemu (DT) [ 32.094280] epc : ksysread+0x88/0xd6 [ 32.094855] ra : ksysread+0xc0/0xd6 [ 32.095016] epc : ffffffff801cda80 ra : ffffffff801cdab8 sp : ff20000000d7bdc0 [ 32.095227] gp : ffffffff80f14000 tp : ff60000080f9cb40 t0 : ffffffff80f13e80 [ 32.095500] t1 : ffffffff8000c29c t2 : ffffffff800dbc54 s0 : ff20000000d7be60 [ 32.095716] s1 : 0000000000000000 a0 : ffffffff805a64ae a1 : ffffffff80a83708 [ 32.095921] a2 : ffffffff80f160a0 a3 : 0000000000000000 a4 : f229b0afdb165300 [ 32.096171] a5 : f229b0afdb165300 a6 : ffffffff80eeebd0 a7 : 00000000000003ff [ 32.096411] s2 : ff6000007ff76800 s3 : fffffffffffffff7 s4 : 00aaaaaad77b1170 [ 32.096638] s5 : ffffffff80f160a0 s6 : ff6000007ff76800 s7 : 0000000000000030 [ 32.096865] s8 : 00ffffffc3d97be0 s9 : 0000000000000007 s10: 00aaaaaad77c9410 [ 32.097092] s11: 0000000000000000 t3 : ffffffff80f13e48 t4 : ffffffff8000c29c [ 32.097317] t5 : ffffffff8000c29c t6 : ffffffff800dbc54 [ 32.097505] status: 0000000200000120 badaddr: 00aaaaaad77b1170 cause: 000000000000000d [ 32.098011] [<ffffffff801cdb72>] ksyswrite+0x6c/0xd6 [ 32.098222] [<ffffffff801cdc06>] syswrite+0x2a/0x38 [ 32.098405] [<ffffffff80003c76>] retfromsyscall+0x0/0x2

Since the rs1 and rd might be the same one, such as 'jalr 1140(ra)', hence it requires obtaining the target address from rs1 followed by updating rd.

[Palmer: Pick Guo's cleanup]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c22b0bcb1dd024cb9caad9230e3a387d8b061df5
Fixed
614471b7f7cd28a2c96ab9c90b37471c82258ffb
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c22b0bcb1dd024cb9caad9230e3a387d8b061df5
Fixed
f4c8fc775fcbc9e9047b22671c55ca18f9a127d4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c22b0bcb1dd024cb9caad9230e3a387d8b061df5
Fixed
ca0254998be4d74cf6add70ccfab0d2dbd362a10

Affected versions

v5.*

v5.11
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.72
v5.15.73
v5.15.74
v5.15.75
v5.15.76
v5.15.77
v5.15.78
v5.15.79
v5.15.8
v5.15.80
v5.15.81
v5.15.82
v5.15.83
v5.15.84
v5.15.85
v5.15.86
v5.15.87
v5.15.88
v5.15.89
v5.15.9
v5.15.90
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.2-rc1

Database specific

vanir_signatures

[
    {
        "id": "CVE-2023-52995-55c786cc",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f4c8fc775fcbc9e9047b22671c55ca18f9a127d4",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "282453320608616757305070567951245321826",
                "115802699310807269443489172611622809682",
                "220627165098736249981609842974371938607",
                "337005953211406819899165431464117609767",
                "12901060933892223295540604845612415989",
                "217350857748806439150723219687564178682",
                "193386925899155295112650477563915631118"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "target": {
            "file": "arch/riscv/kernel/probes/simulate-insn.c"
        }
    },
    {
        "id": "CVE-2023-52995-6b8c864b",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@614471b7f7cd28a2c96ab9c90b37471c82258ffb",
        "signature_version": "v1",
        "digest": {
            "length": 432.0,
            "function_hash": "151144359884027161065765147756135253800"
        },
        "deprecated": false,
        "signature_type": "Function",
        "target": {
            "function": "simulate_jalr",
            "file": "arch/riscv/kernel/probes/simulate-insn.c"
        }
    },
    {
        "id": "CVE-2023-52995-807b3e47",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ca0254998be4d74cf6add70ccfab0d2dbd362a10",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "282453320608616757305070567951245321826",
                "115802699310807269443489172611622809682",
                "220627165098736249981609842974371938607",
                "337005953211406819899165431464117609767",
                "12901060933892223295540604845612415989",
                "217350857748806439150723219687564178682",
                "193386925899155295112650477563915631118"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "target": {
            "file": "arch/riscv/kernel/probes/simulate-insn.c"
        }
    },
    {
        "id": "CVE-2023-52995-bff9e0d2",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ca0254998be4d74cf6add70ccfab0d2dbd362a10",
        "signature_version": "v1",
        "digest": {
            "length": 432.0,
            "function_hash": "151144359884027161065765147756135253800"
        },
        "deprecated": false,
        "signature_type": "Function",
        "target": {
            "function": "simulate_jalr",
            "file": "arch/riscv/kernel/probes/simulate-insn.c"
        }
    },
    {
        "id": "CVE-2023-52995-c64fcf81",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@614471b7f7cd28a2c96ab9c90b37471c82258ffb",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "282453320608616757305070567951245321826",
                "115802699310807269443489172611622809682",
                "220627165098736249981609842974371938607",
                "337005953211406819899165431464117609767",
                "12901060933892223295540604845612415989",
                "217350857748806439150723219687564178682",
                "193386925899155295112650477563915631118"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "target": {
            "file": "arch/riscv/kernel/probes/simulate-insn.c"
        }
    },
    {
        "id": "CVE-2023-52995-f77251b4",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f4c8fc775fcbc9e9047b22671c55ca18f9a127d4",
        "signature_version": "v1",
        "digest": {
            "length": 432.0,
            "function_hash": "151144359884027161065765147756135253800"
        },
        "deprecated": false,
        "signature_type": "Function",
        "target": {
            "function": "simulate_jalr",
            "file": "arch/riscv/kernel/probes/simulate-insn.c"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.12.0
Fixed
5.15.91
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.9