CVE-2023-52568: x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race - Greg Kroah-Hartman

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: CVE-2023-52568: x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race
Date: Sat,  2 Mar 2024 23:00:02 +0100	[thread overview]
Message-ID: <2024030255-CVE-2023-52568-b5c6@gregkh> (raw)

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race

The SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an
enclave and set secs.epc_page to NULL. The SECS page is used for EAUG
and ELDU in the SGX page fault handler. However, the NULL check for
secs.epc_page is only done for ELDU, not EAUG before being used.

Fix this by doing the same NULL check and reloading of the SECS page as
needed for both EAUG and ELDU.

The SECS page holds global enclave metadata. It can only be reclaimed
when there are no other enclave pages remaining. At that point,
virtually nothing can be done with the enclave until the SECS page is
paged back in.

An enclave can not run nor generate page faults without a resident SECS
page. But it is still possible for a #PF for a non-SECS page to race
with paging out the SECS page: when the last resident non-SECS page A
triggers a #PF in a non-resident page B, and then page A and the SECS
both are paged out before the #PF on B is handled.

Hitting this bug requires that race triggered with a #PF for EAUG.
Following is a trace when it happens.

BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:sgx_encl_eaug_page+0xc7/0x210
Call Trace:
 ? __kmem_cache_alloc_node+0x16a/0x440
 ? xa_load+0x6e/0xa0
 sgx_vma_fault+0x119/0x230
 __do_fault+0x36/0x140
 do_fault+0x12f/0x400
 __handle_mm_fault+0x728/0x1110
 handle_mm_fault+0x105/0x310
 do_user_addr_fault+0x1ee/0x750
 ? __this_cpu_preempt_check+0x13/0x20
 exc_page_fault+0x76/0x180
 asm_exc_page_fault+0x27/0x30

The Linux kernel CVE team has assigned CVE-2023-52568 to this issue.

Affected and fixed versions
===========================

	Issue introduced in 6.0 with commit 5a90d2c3f5ef and fixed in 6.1.56 with commit 811ba2ef0cb6
	Issue introduced in 6.0 with commit 5a90d2c3f5ef and fixed in 6.5.6 with commit 1348f7f15d7c
	Issue introduced in 6.0 with commit 5a90d2c3f5ef and fixed in 6.6 with commit c6c2adcba50c

Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52568
will be updated if fixes are backported, please check that for the most
up to date information about this issue.

Affected files
==============

The file(s) affected by this issue are:
	arch/x86/kernel/cpu/sgx/encl.c

Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d
	https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e
	https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358