Bug 1220941 (CVE-2023-52568)

Summary: VUL-0: CVE-2023-52568: kernel: x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, pmladek
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/396091/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-52568:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-05 09:21:17 UTC 
In the Linux kernel, the following vulnerability has been resolved:

x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race

The SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an
enclave and set secs.epc_page to NULL. The SECS page is used for EAUG
and ELDU in the SGX page fault handler. However, the NULL check for
secs.epc_page is only done for ELDU, not EAUG before being used.

Fix this by doing the same NULL check and reloading of the SECS page as
needed for both EAUG and ELDU.

The SECS page holds global enclave metadata. It can only be reclaimed
when there are no other enclave pages remaining. At that point,
virtually nothing can be done with the enclave until the SECS page is
paged back in.

An enclave can not run nor generate page faults without a resident SECS
page. But it is still possible for a #PF for a non-SECS page to race
with paging out the SECS page: when the last resident non-SECS page A
triggers a #PF in a non-resident page B, and then page A and the SECS
both are paged out before the #PF on B is handled.

Hitting this bug requires that race triggered with a #PF for EAUG.
Following is a trace when it happens.

BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:sgx_encl_eaug_page+0xc7/0x210
Call Trace:
 ? __kmem_cache_alloc_node+0x16a/0x440
 ? xa_load+0x6e/0xa0
 sgx_vma_fault+0x119/0x230
 __do_fault+0x36/0x140
 do_fault+0x12f/0x400
 __handle_mm_fault+0x728/0x1110
 handle_mm_fault+0x105/0x310
 do_user_addr_fault+0x1ee/0x750
 ? __this_cpu_preempt_check+0x13/0x20
 exc_page_fault+0x76/0x180
 asm_exc_page_fault+0x27/0x30

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52568
https://git.kernel.org/stable/c/c6c2adcba50c2622ed25ba5d5e7f05f584711358
https://www.cve.org/CVERecord?id=CVE-2023-52568
https://git.kernel.org/stable/c/1348f7f15d7c7798456856bee74a4235c2da994e
https://git.kernel.org/stable/c/811ba2ef0cb6402672e64ba1419d6ef95aa3405d
https://bugzilla.redhat.com/show_bug.cgi?id=2267740
Comment 1 Gabriele Sonnu 2024-03-05 13:51:26 UTC 
Offending commit (5a90d2c3f5ef) found in:

 - SLE15-SP6
 - stable

Only stable has the fix (811ba2ef0cb6), tracking SLE15-SP6 as affected.
Comment 2 Petr Mladek 2024-03-05 14:40:46 UTC 
Jiri, this seems to be in your area.
Comment 3 Jiri Slaby 2024-03-06 11:58:09 UTC 
FTR
commit c6c2adcba50c2622ed25ba5d5e7f05f584711358
Author: Haitao Huang <haitao.huang@linux.intel.com>
Date:   Thu Jul 27 22:10:24 2023 -0700

    x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race
in v6.6-rc4

    Fixes: 5a90d2c3f5ef ("x86/sgx: Support adding of pages to an initialized enclave")
in v6.0-rc1
Comment 4 Jiri Slaby 2024-03-07 09:02:01 UTC 
Pushed to 15-sp6.
Comment 14 Andrea Mattiazzo 2024-05-31 13:08:02 UTC 
All done, closing.