CVE-2023-53024

EUVD-2023-59696

27.03.2025, 17:15

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation

To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to
insufficient speculative store bypass mitigation") inserts lfence
instructions after 1) initializing a stack slot and 2) spilling a
pointer to the stack.

However, this does not cover cases where a stack slot is first
initialized with a pointer (subject to sanitization) but then
overwritten with a scalar (not subject to sanitization because
the slot was already initialized). In this case, the second write
may be subject to speculative store bypass (SSB) creating a
speculative pointer-as-scalar type confusion. This allows the
program to subsequently leak the numerical pointer value using,
for example, a branch-based cache side channel.

To fix this, also sanitize scalars if they write a stack slot
that previously contained a pointer. Assuming that pointer-spills
are only generated by LLVM on register-pressure, the performance
impact on most real-world BPF programs should be small.

The following unprivileged BPF bytecode drafts a minimal exploit
and the mitigation:

  [...]
  // r6 = 0 or 1 (skalar, unknown user input)
  // r7 = accessible ptr for side channel
  // r10 = frame pointer (fp), to be leaked
  //
  r9 = r10 # fp alias to encourage ssb
  *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked
  // lfence added here because of pointer spill to stack.
  //
  // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor
  // for no r9-r10 dependency.
  //
  *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr
  // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,
  // store may be subject to SSB
  //
  // fix: also add an lfence when the slot contained a ptr
  //
  r8 = *(u64 *)(r9 - 8)
  // r8 = architecturally a scalar, speculatively a ptr
  //
  // leak ptr using branch-based cache side channel:
  r8 &= 1 // choose bit to leak
  if r8 == 0 goto SLOW // no mispredict
  // architecturally dead code if input r6 is 0,
  // only executes speculatively iff ptr bit is 1
  r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)
SLOW:
  [...]

After running this, the program can time the access to *(r7 + 0) to
determine whether the chosen pointer bit was 0 or 1. Repeat this 64
times to recover the whole address on amd64.

In summary, sanitization can only be skipped if one scalar is
overwritten with another scalar. Scalar-confusion due to speculative
store bypass can not lead to invalid accesses because the pointer
bounds deducted during verification are enforced using branchless
logic. See 979d63d50c0c ("bpf: prevent out of bounds speculation on
pointer arithmetic") for details.

Do not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}
because speculative leaks are likely unexpected if these were enabled.
For example, leaking the address to a protected log file may be acceptable
while disabling the mitigation might unintentionally leak the address
into the cached-state of a map that is accessible to unprivileged
processes.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.19.207 ≤ 𝑥 < 4.19.272
linux	linux_kernel	5.4.146 ≤ 𝑥 < 5.4.231
linux	linux_kernel	5.10.56 ≤ 𝑥 < 5.10.166
linux	linux_kernel	5.13.8 ≤ 𝑥 < 5.14
linux	linux_kernel	5.14.1 ≤ 𝑥 < 5.15.91
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.9
linux	linux_kernel	5.14
linux	linux_kernel	5.14:rc4
linux	linux_kernel	5.14:rc5
linux	linux_kernel	5.14:rc6
linux	linux_kernel	5.14:rc7
linux	linux_kernel	6.2:rc1
linux	linux_kernel	6.2:rc2
linux	linux_kernel	6.2:rc3
linux	linux_kernel	6.2:rc4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.129-1 fixed
bookworm (security)	6.1.128-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
sid	6.12.20-1 fixed
trixie	6.12.19-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-allwinner-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-aws

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-aws-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-aws-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-aws-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-aws-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-aws-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-aws-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-aws-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne

linux-aws-hwe

focal	dne
jammy	dne
noble	dne
oracular	dne
xenial	needs-triage

linux-azure

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-azure-4.15

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-azure-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-azure-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-azure-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-azure-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-azure-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-azure-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-azure-fde

focal	ignored
jammy	needs-triage
noble	dne
oracular	dne

linux-azure-fde-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-azure-fde-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-azure-fde-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-azure-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne

linux-bluefield

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
xenial	needs-triage

linux-gcp

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
xenial	needs-triage

linux-gcp-4.15

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-gcp-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-gcp-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-gcp-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-gcp-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-gcp-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-gcp-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-gcp-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne

linux-gke

focal	ignored
jammy	needs-triage
noble	needs-triage
oracular	dne

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-gkeop

focal	ignored
jammy	needs-triage
noble	needs-triage
oracular	dne

linux-gkeop-5.15

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-hwe

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
xenial	needs-triage

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-hwe-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-hwe-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-hwe-6.11

focal	dne
jammy	dne
noble	needs-triage
oracular	dne

linux-hwe-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-hwe-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-hwe-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
xenial	ignored

linux-ibm

focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	dne

linux-ibm-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-ibm-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-intel-iot-realtime

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-intel-iotg

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-intel-iotg-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-iot

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-kvm

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
xenial	needs-triage

linux-lowlatency

focal	dne
jammy	needs-triage
noble	needs-triage
oracular	needs-triage

linux-lowlatency-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-lowlatency-hwe-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-lowlatency-hwe-6.11

focal	dne
jammy	dne
noble	needs-triage
oracular	dne

linux-lowlatency-hwe-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-lowlatency-hwe-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-lowlatency-hwe-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-lts-xenial

focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	needs-triage

linux-nvidia

focal	dne
jammy	needs-triage
noble	needs-triage
oracular	dne

linux-nvidia-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-nvidia-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-nvidia-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-nvidia-lowlatency

focal	dne
jammy	dne
noble	needs-triage
oracular	dne

linux-nvidia-tegra

focal	dne
jammy	needs-triage
noble	needs-triage
oracular	dne

linux-nvidia-tegra-igx

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-oem-5.17

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-oem-6.0

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-oem-6.1

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-oem-6.11

focal	dne
jammy	dne
noble	needs-triage
oracular	dne

linux-oem-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-oem-6.8

focal	dne
jammy	dne
noble	needs-triage
oracular	dne

linux-oracle

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
xenial	needs-triage

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-oracle-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-oracle-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-oracle-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-oracle-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-raspi

focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage

linux-raspi-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne

linux-raspi-realtime

focal	dne
jammy	dne
noble	needs-triage
oracular	dne

linux-raspi2

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-realtime

focal	dne
jammy	needs-triage
noble	needs-triage
oracular	needs-triage

linux-riscv

focal	ignored
jammy	ignored
noble	needs-triage
oracular	needs-triage

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-riscv-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne

linux-riscv-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne

linux-riscv-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-riscv-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne

linux-starfive-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-starfive-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-starfive-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne

linux-xilinx-zynqmp

focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne

References

https://git.kernel.org/stable/c/01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528

https://git.kernel.org/stable/c/81b3374944d201872cfcf82730a7860f8e7c31dd

https://git.kernel.org/stable/c/aae109414a57ab4164218f36e2e4a17f027fcaaa

https://git.kernel.org/stable/c/b0c89ef025562161242a7c19b213bd6b272e93df

https://git.kernel.org/stable/c/da75dec7c6617bddad418159ffebcb133f008262

https://git.kernel.org/stable/c/e4f4db47794c9f474b184ee1418f42e6a07412b6