CVE-2023-53135

In the Linux kernel, the following vulnerability has been resolved:

riscv: Use READONCENOCHECK in imprecise unwinding stack mode

When CONFIGFRAMEPOINTER is unset, the stack unwinding function walk_stackframe randomly reads the stack and then, when KASAN is enabled, it can lead to the following backtrace:

[ 0.000000] ================================================================== [ 0.000000] BUG: KASAN: stack-out-of-bounds in walkstackframe+0xa6/0x11a [ 0.000000] Read of size 8 at addr ffffffff81807c40 by task swapper/0 [ 0.000000] [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-12919-g24203e6db61f #43 [ 0.000000] Hardware name: riscv-virtio,qemu (DT) [ 0.000000] Call Trace: [ 0.000000] [<ffffffff80007ba8>] walkstackframe+0x0/0x11a [ 0.000000] [<ffffffff80099ecc>] initparamlock+0x26/0x2a [ 0.000000] [<ffffffff80007c4a>] walkstackframe+0xa2/0x11a [ 0.000000] [<ffffffff80c49c80>] dumpstacklvl+0x22/0x36 [ 0.000000] [<ffffffff80c3783e>] printreport+0x198/0x4a8 [ 0.000000] [<ffffffff80099ecc>] initparamlock+0x26/0x2a [ 0.000000] [<ffffffff80007c4a>] walkstackframe+0xa2/0x11a [ 0.000000] [<ffffffff8015f68a>] kasanreport+0x9a/0xc8 [ 0.000000] [<ffffffff80007c4a>] walkstackframe+0xa2/0x11a [ 0.000000] [<ffffffff80007c4a>] walkstackframe+0xa2/0x11a [ 0.000000] [<ffffffff8006e99c>] descmakefinal+0x80/0x84 [ 0.000000] [<ffffffff8009a04e>] stacktracesave+0x88/0xa6 [ 0.000000] [<ffffffff80099fc2>] filterirqstacks+0x72/0x76 [ 0.000000] [<ffffffff8006b95e>] devkmsgread+0x32a/0x32e [ 0.000000] [<ffffffff8015ec16>] kasansavestack+0x28/0x52 [ 0.000000] [<ffffffff8006e998>] descmakefinal+0x7c/0x84 [ 0.000000] [<ffffffff8009a04a>] stacktracesave+0x84/0xa6 [ 0.000000] [<ffffffff8015ec52>] kasanset_track+0x12/0x20 [ 0.000000] [<ffffffff8015f22e>] __kasanslaballoc+0x58/0x5e [ 0.000000] [<ffffffff8015e7ea>] __kmemcachecreate+0x21e/0x39a [ 0.000000] [<ffffffff80e133ac>] createbootcache+0x70/0x9c [ 0.000000] [<ffffffff80e17ab2>] kmemcacheinit+0x6c/0x11e [ 0.000000] [<ffffffff80e00fd6>] mminit+0xd8/0xfe [ 0.000000] [<ffffffff80e011d8>] startkernel+0x190/0x3ca [ 0.000000] [ 0.000000] The buggy address belongs to stack of task swapper/0 [ 0.000000] and is located at offset 0 in frame: [ 0.000000] stacktracesave+0x0/0xa6 [ 0.000000] [ 0.000000] This frame has 1 object: [ 0.000000] [32, 56) 'c' [ 0.000000] [ 0.000000] The buggy address belongs to the physical page: [ 0.000000] page:(ptrval) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81a07 [ 0.000000] flags: 0x1000(reserved|zone=0) [ 0.000000] raw: 0000000000001000 ff600003f1e3d150 ff600003f1e3d150 0000000000000000 [ 0.000000] raw: 0000000000000000 0000000000000000 00000001ffffffff [ 0.000000] page dumped because: kasan: bad access detected [ 0.000000] [ 0.000000] Memory state around the buggy address: [ 0.000000] ffffffff81807b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 0.000000] ffffffff81807b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 0.000000] >ffffffff81807c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 [ 0.000000] ^ [ 0.000000] ffffffff81807c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 0.000000] ffffffff81807d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 0.000000] ==================================================================

Fix that by using READONCENOCHECK when reading the stack in imprecise mode.