DEBIAN-CVE-2023-53135

In the Linux kernel, the following vulnerability has been resolved: riscv: Use READONCENOCHECK in imprecise unwinding stack mode When CONFIGFRAMEPOINTER is unset, the stack unwinding function walkstackframe randomly reads the stack and then, when KASAN is enabled, it can lead to the following backtrace: [ 0.000000] ================================================================== [ 0.000000] BUG: KASAN: stack-out-of-bounds in walkstackframe+0xa6/0x11a [ 0.000000] Read of size 8 at addr ffffffff81807c40 by task swapper/0 [ 0.000000] [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-12919-g24203e6db61f #43 [ 0.000000] Hardware name: riscv-virtio,qemu (DT) [ 0.000000] Call Trace: [ 0.000000] [<ffffffff80007ba8>] walkstackframe+0x0/0x11a [ 0.000000] [<ffffffff80099ecc>] initparamlock+0x26/0x2a [ 0.000000] [<ffffffff80007c4a>] walkstackframe+0xa2/0x11a [ 0.000000] [<ffffffff80c49c80>] dumpstacklvl+0x22/0x36 [ 0.000000] [<ffffffff80c3783e>] printreport+0x198/0x4a8 [ 0.000000] [<ffffffff80099ecc>] initparamlock+0x26/0x2a [ 0.000000] [<ffffffff80007c4a>] walkstackframe+0xa2/0x11a [ 0.000000] [<ffffffff8015f68a>] kasanreport+0x9a/0xc8 [ 0.000000] [<ffffffff80007c4a>] walkstackframe+0xa2/0x11a [ 0.000000] [<ffffffff80007c4a>] walkstackframe+0xa2/0x11a [ 0.000000] [<ffffffff8006e99c>] descmakefinal+0x80/0x84 [ 0.000000] [<ffffffff8009a04e>] stacktracesave+0x88/0xa6 [ 0.000000] [<ffffffff80099fc2>] filterirqstacks+0x72/0x76 [ 0.000000] [<ffffffff8006b95e>] devkmsgread+0x32a/0x32e [ 0.000000] [<ffffffff8015ec16>] kasansavestack+0x28/0x52 [ 0.000000] [<ffffffff8006e998>] descmakefinal+0x7c/0x84 [ 0.000000] [<ffffffff8009a04a>] stacktracesave+0x84/0xa6 [ 0.000000] [<ffffffff8015ec52>] kasansettrack+0x12/0x20 [ 0.000000] [<ffffffff8015f22e>] kasanslaballoc+0x58/0x5e [ 0.000000] [<ffffffff8015e7ea>] _kmemcachecreate+0x21e/0x39a [ 0.000000] [<ffffffff80e133ac>] createbootcache+0x70/0x9c [ 0.000000] [<ffffffff80e17ab2>] kmemcacheinit+0x6c/0x11e [ 0.000000] [<ffffffff80e00fd6>] mminit+0xd8/0xfe [ 0.000000] [<ffffffff80e011d8>] startkernel+0x190/0x3ca [ 0.000000] [ 0.000000] The buggy address belongs to stack of task swapper/0 [ 0.000000] and is located at offset 0 in frame: [ 0.000000] stacktracesave+0x0/0xa6 [ 0.000000] [ 0.000000] This frame has 1 object: [ 0.000000] [32, 56) 'c' [ 0.000000] [ 0.000000] The buggy address belongs to the physical page: [ 0.000000] page:(ptrval_) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81a07 [ 0.000000] flags: 0x1000(reserved|zone=0) [ 0.000000] raw: 0000000000001000 ff600003f1e3d150 ff600003f1e3d150 0000000000000000 [ 0.000000] raw: 0000000000000000 0000000000000000 00000001ffffffff [ 0.000000] page dumped because: kasan: bad access detected [ 0.000000] [ 0.000000] Memory state around the buggy address: [ 0.000000] ffffffff81807b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 0.000000] ffffffff81807b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 0.000000] >ffffffff81807c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 [ 0.000000] ^ [ 0.000000] ffffffff81807c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 0.000000] ffffffff81807d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 0.000000] ================================================================== Fix that by using READONCENOCHECK when reading the stack in imprecise mode.