CVE-2023-53642

一、漏洞信息
 漏洞编号：[CVE-2023-53642](https://nvd.nist.gov/vuln/detail/CVE-2023-53642)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：N/A None
  Vector：CVSS：3.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:x86: fix clear_user_rep_good() exception handling annotationThis code no longer exists in mainline, because it was removed incommit d2c95f9d6802 ( x86: don t use REP_GOOD or ERMS for user memoryclearing ) upstream.However, rather than backport the full range of x86 memory clearing andcopying cleanups, fix the exception table annotation placement for thefinal  rep movsb  in clear_user_rep_good(): rather than pointing at theactual instruction that did the user space access, it pointed to theregister move just before it.That made sense from a code flow standpoint, but not from an actualusage standpoint: it means that if user access takes an exception, theexception handler won t actually find the instruction in the exceptiontables.As a result, rather than fixing it up and returning -EFAULT, it wouldthen turn it into a kernel oops report instead, something like:    BUG: unable to handle page fault for address: 0000000020081000    #PF: supervisor write access in kernel mode    #PF: error_code(0x0002) - not-present page    ...    RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147    ...    Call Trace:      __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline]      clear_user arch/x86/include/asm/uaccess_64.h:124 [inline]      iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800      iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline]      iomap_dio_iter fs/iomap/direct-io.c:440 [inline]      __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601      iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689      ext4_dio_read_iter fs/ext4/file.c:94 [inline]      ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145      call_read_iter include/linux/fs.h:2183 [inline]      do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733      do_iter_read+0x2f2/0x750 fs/read_write.c:796      vfs_readv+0xe5/0x150 fs/read_write.c:916      do_preadv+0x1b6/0x270 fs/read_write.c:1008      __do_sys_preadv2 fs/read_write.c:1070 [inline]      __se_sys_preadv2 fs/read_write.c:1061 [inline]      __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061      do_syscall_x64 arch/x86/entry/common.c:50 [inline]      do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80      entry_SYSCALL_64_after_hwframe+0x63/0xcdwhich then looks like a filesystem bug rather than the incorrectexception annotation that it is.[ The alternative to this one-liner fix is to take the upstream series  that cleans this all up:    68674f94ffc9 ( x86: don t use REP_GOOD or ERMS for small memory copies )    20f3337d350c ( x86: don t use REP_GOOD or ERMS for small memory clearing )    adfcf4231b8c ( x86: don t use REP_GOOD or ERMS for user memory copies )  * d2c95f9d6802 ( x86: don t use REP_GOOD or ERMS for user memory clearing )    3639a535587d ( x86: move stac/clac from user copy routines into callers )    577e6a7fd50d ( x86: inline the  rep movs  in user copies for the FSRM case )    8c9b6a88b7e2 ( x86: improve on the non-rep  clear_user  function )    427fda2c8a49 ( x86: improve on the non-rep  copy_user  function )  * e046fe5a36a9 ( x86: set FSRS automatically on AMD CPUs that have FSRM )    e1f2750edc4a ( x86: remove  zerorest  argument from __copy_user_nocache() )    034ff37d3407 ( x86: rewrite  __copy_user_nocache  function )  with either the whole series or at a minimum the two marked commits  being needed to fix this issue ]
 漏洞公开时间：2025-10-08 00:15:47
 漏洞创建时间：2025-10-07 23:52:24
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2023-53642
<details>
<summary>更多参考(点击展开)</summary>

无
</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  七彩瞬析开源风险感知平台
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| gregkh/linux |  | https://git.kernel.org/stable/c/76ce32682635fe907e0f8e64e039e773e5c7508f |  | ljqc |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:x86: fix clear_user_rep_good() exception handling annotationThis code no longer exists in mainline, because it was removed incommit d2c95f9d6802 ( x86: don t use REP_GOOD or ERMS for user memoryclearing ) upstream.However, rather than backport the full range of x86 memory clearing andcopying cleanups, fix the exception table annotation placement for thefinal  rep movsb  in clear_user_rep_good(): rather than pointing at theactual instruction that did the user space access, it pointed to theregister move just before it.That made sense from a code flow standpoint, but not from an actualusage standpoint: it means that if user access takes an exception, theexception handler won t actually find the instruction in the exceptiontables.As a result, rather than fixing it up and returning -EFAULT, it wouldthen turn it into a kernel oops report instead, something like:    BUG: unable to handle page fault for address: 0000000020081000    #PF: supervisor write access in kernel mode    #PF: error_code(0x0002) - not-present page    ...    RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147    ...    Call Trace:      __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline]      clear_user arch/x86/include/asm/uaccess_64.h:124 [inline]      iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800      iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline]      iomap_dio_iter fs/iomap/direct-io.c:440 [inline]      __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601      iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689      ext4_dio_read_iter fs/ext4/file.c:94 [inline]      ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145      call_read_iter include/linux/fs.h:2183 [inline]      do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733      do_iter_read+0x2f2/0x750 fs/read_write.c:796      vfs_readv+0xe5/0x150 fs/read_write.c:916      do_preadv+0x1b6/0x270 fs/read_write.c:1008      __do_sys_preadv2 fs/read_write.c:1070 [inline]      __se_sys_preadv2 fs/read_write.c:1061 [inline]      __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061      do_syscall_x64 arch/x86/entry/common.c:50 [inline]      do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80      entry_SYSCALL_64_after_hwframe+0x63/0xcdwhich then looks like a filesystem bug rather than the incorrectexception annotation that it is.[ The alternative to this one-liner fix is to take the upstream series  that cleans this all up:    68674f94ffc9 ( x86: don t use REP_GOOD or ERMS for small memory copies )    20f3337d350c ( x86: don t use REP_GOOD or ERMS for small memory clearing )    adfcf4231b8c ( x86: don t use REP_GOOD or ERMS for user memory copies )  * d2c95f9d6802 ( x86: don t use REP_GOOD or ERMS for user memory clearing )    3639a535587d ( x86: move stac/clac from user copy routines into callers )    577e6a7fd50d ( x86: inline the  rep movs  in user copies for the FSRM case )    8c9b6a88b7e2 ( x86: improve on the non-rep  clear_user  function )    427fda2c8a49 ( x86: improve on the non-rep  copy_user  function )  * e046fe5a36a9 ( x86: set FSRS automatically on AMD CPUs that have FSRM )    e1f2750edc4a ( x86: remove  zerorest  argument from __copy_user_nocache() )    034ff37d3407 ( x86: rewrite  __copy_user_nocache  function )  with either the whole series or at a minimum the two marked commits  being needed to fix this issue ]The Linux kernel CVE team has assigned CVE-2023-53642 to this issue.
 openEuler评分：
  5.5
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.master(6.12.33):不受影响
2.openEuler-20.03-LTS-SP4(4.19.90):不受影响
3.openEuler-22.03-LTS-SP3(5.10.0):不受影响
4.openEuler-22.03-LTS-SP4(5.10.0):不受影响
5.openEuler-24.03-LTS:不受影响
6.openEuler-24.03-LTS-Next:不受影响
7.openEuler-24.03-LTS-SP1:不受影响
8.openEuler-24.03-LTS-SP2:不受影响

修复是否涉及abi变化(是/否)：
  1.master(6.12.33):否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.openEuler-22.03-LTS-SP4(5.10.0):否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next:否
7.openEuler-24.03-LTS-SP1:否
8.openEuler-24.03-LTS-SP2:否

原因说明：
  1.master(6.12.33):不受影响-漏洞代码不能被攻击者触发
2.openEuler-24.03-LTS:不受影响-漏洞代码不能被攻击者触发
3.openEuler-24.03-LTS-Next:不受影响-漏洞代码不能被攻击者触发
4.openEuler-24.03-LTS-SP1:不受影响-漏洞代码不能被攻击者触发
5.openEuler-24.03-LTS-SP2:不受影响-漏洞代码不能被攻击者触发
6.openEuler-20.03-LTS-SP4(4.19.90):不受影响-漏洞代码不存在
7.openEuler-22.03-LTS-SP3(5.10.0):不受影响-漏洞代码不存在
8.openEuler-22.03-LTS-SP4(5.10.0):不受影响-漏洞代码不存在

src-openEuler/kernel
关闭

内容风险标识

评论 (5)

src-openEuler/kernel关闭 .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2023-53642

评论 (5)

搜索帮助

src-openEuler/kernel
关闭