{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-53024", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-03-27T16:40:15.753Z", "datePublished": "2025-03-27T16:43:49.824Z", "dateUpdated": "2026-05-11T19:37:07.961Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:37:07.961Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix pointer-leak due to insufficient speculative store bypass mitigation\n\nTo mitigate Spectre v4, 2039f26f3aca (\"bpf: Fix leakage due to\ninsufficient speculative store bypass mitigation\") inserts lfence\ninstructions after 1) initializing a stack slot and 2) spilling a\npointer to the stack.\n\nHowever, this does not cover cases where a stack slot is first\ninitialized with a pointer (subject to sanitization) but then\noverwritten with a scalar (not subject to sanitization because\nthe slot was already initialized). In this case, the second write\nmay be subject to speculative store bypass (SSB) creating a\nspeculative pointer-as-scalar type confusion. This allows the\nprogram to subsequently leak the numerical pointer value using,\nfor example, a branch-based cache side channel.\n\nTo fix this, also sanitize scalars if they write a stack slot\nthat previously contained a pointer. Assuming that pointer-spills\nare only generated by LLVM on register-pressure, the performance\nimpact on most real-world BPF programs should be small.\n\nThe following unprivileged BPF bytecode drafts a minimal exploit\nand the mitigation:\n\n [...]\n // r6 = 0 or 1 (skalar, unknown user input)\n // r7 = accessible ptr for side channel\n // r10 = frame pointer (fp), to be leaked\n //\n r9 = r10 # fp alias to encourage ssb\n *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked\n // lfence added here because of pointer spill to stack.\n //\n // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor\n // for no r9-r10 dependency.\n //\n *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr\n // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,\n // store may be subject to SSB\n //\n // fix: also add an lfence when the slot contained a ptr\n //\n r8 = *(u64 *)(r9 - 8)\n // r8 = architecturally a scalar, speculatively a ptr\n //\n // leak ptr using branch-based cache side channel:\n r8 &= 1 // choose bit to leak\n if r8 == 0 goto SLOW // no mispredict\n // architecturally dead code if input r6 is 0,\n // only executes speculatively iff ptr bit is 1\n r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)\nSLOW:\n [...]\n\nAfter running this, the program can time the access to *(r7 + 0) to\ndetermine whether the chosen pointer bit was 0 or 1. Repeat this 64\ntimes to recover the whole address on amd64.\n\nIn summary, sanitization can only be skipped if one scalar is\noverwritten with another scalar. Scalar-confusion due to speculative\nstore bypass can not lead to invalid accesses because the pointer\nbounds deducted during verification are enforced using branchless\nlogic. See 979d63d50c0c (\"bpf: prevent out of bounds speculation on\npointer arithmetic\") for details.\n\nDo not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}\nbecause speculative leaks are likely unexpected if these were enabled.\nFor example, leaking the address to a protected log file may be acceptable\nwhile disabling the mitigation might unintentionally leak the address\ninto the cached-state of a map that is accessible to unprivileged\nprocesses."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/verifier.c"], "versions": [{"version": "872968502114d68c21419cf7eb5ab97717e7b803", "lessThan": "aae109414a57ab4164218f36e2e4a17f027fcaaa", "status": "affected", "versionType": "git"}, {"version": "f5893af2704eb763eb982f01d573f5b19f06b623", "lessThan": "81b3374944d201872cfcf82730a7860f8e7c31dd", "status": "affected", "versionType": "git"}, {"version": "0e9280654aa482088ee6ef3deadef331f5ac5fb0", "lessThan": "da75dec7c6617bddad418159ffebcb133f008262", "status": "affected", "versionType": "git"}, {"version": "2039f26f3aca5b0e419b98f65dd36481337b86ee", "lessThan": "01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528", "status": "affected", "versionType": "git"}, {"version": "2039f26f3aca5b0e419b98f65dd36481337b86ee", "lessThan": "b0c89ef025562161242a7c19b213bd6b272e93df", "status": "affected", "versionType": "git"}, {"version": "2039f26f3aca5b0e419b98f65dd36481337b86ee", "lessThan": "e4f4db47794c9f474b184ee1418f42e6a07412b6", "status": "affected", "versionType": "git"}, {"version": "0b27bdf02c400684225ee5ee99970bcbf5082282", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/verifier.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.272", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.231", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.166", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.91", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.9", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.207", "versionEndExcluding": "4.19.272"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.146", "versionEndExcluding": "5.4.231"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.56", "versionEndExcluding": "5.10.166"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "5.15.91"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.1.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/aae109414a57ab4164218f36e2e4a17f027fcaaa"}, {"url": "https://git.kernel.org/stable/c/81b3374944d201872cfcf82730a7860f8e7c31dd"}, {"url": "https://git.kernel.org/stable/c/da75dec7c6617bddad418159ffebcb133f008262"}, {"url": "https://git.kernel.org/stable/c/01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528"}, {"url": "https://git.kernel.org/stable/c/b0c89ef025562161242a7c19b213bd6b272e93df"}, {"url": "https://git.kernel.org/stable/c/e4f4db47794c9f474b184ee1418f42e6a07412b6"}], "title": "bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "24AAC99F-8574-4730-97EF-8D151F18C754", "versionEndExcluding": "4.19.272", "versionStartIncluding": "4.19.207", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1EEDBA35-16D7-4B98-9EAF-B23478991256", "versionEndExcluding": "5.4.231", "versionStartIncluding": "5.4.146", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AF02AD4-5803-4A72-9C08-8AE328ACE92D", "versionEndExcluding": "5.10.166", "versionStartIncluding": "5.10.56", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "36EE71C6-4B88-4A86-A5C2-2ED3CE3D73C1", "versionEndExcluding": "5.14", "versionStartIncluding": "5.13.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABD7378E-DD3E-4737-8A11-D5989C6D9B38", "versionEndExcluding": "5.15.91", "versionStartIncluding": "5.14.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED5B6045-B1D2-4E03-B194-9005A351BCAE", "versionEndExcluding": "6.1.9", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*", "matchCriteriaId": "6A05198E-F8FA-4517-8D0E-8C95066AED38", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc4:*:*:*:*:*:*", "matchCriteriaId": "D1DA0AF6-02F4-47C7-A318-8C006ED0C665", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc5:*:*:*:*:*:*", "matchCriteriaId": "49DD30B1-8C99-4C38-A66B-CAB3827BEE8A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc6:*:*:*:*:*:*", "matchCriteriaId": "15013998-4AF0-4CDC-AB13-829ECD8A8E66", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc7:*:*:*:*:*:*", "matchCriteriaId": "376A25CF-C05B-48F1-99B1-8FB0314A8E06", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*", "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix pointer-leak due to insufficient speculative store bypass mitigation\n\nTo mitigate Spectre v4, 2039f26f3aca (\"bpf: Fix leakage due to\ninsufficient speculative store bypass mitigation\") inserts lfence\ninstructions after 1) initializing a stack slot and 2) spilling a\npointer to the stack.\n\nHowever, this does not cover cases where a stack slot is first\ninitialized with a pointer (subject to sanitization) but then\noverwritten with a scalar (not subject to sanitization because\nthe slot was already initialized). In this case, the second write\nmay be subject to speculative store bypass (SSB) creating a\nspeculative pointer-as-scalar type confusion. This allows the\nprogram to subsequently leak the numerical pointer value using,\nfor example, a branch-based cache side channel.\n\nTo fix this, also sanitize scalars if they write a stack slot\nthat previously contained a pointer. Assuming that pointer-spills\nare only generated by LLVM on register-pressure, the performance\nimpact on most real-world BPF programs should be small.\n\nThe following unprivileged BPF bytecode drafts a minimal exploit\nand the mitigation:\n\n [...]\n // r6 = 0 or 1 (skalar, unknown user input)\n // r7 = accessible ptr for side channel\n // r10 = frame pointer (fp), to be leaked\n //\n r9 = r10 # fp alias to encourage ssb\n *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked\n // lfence added here because of pointer spill to stack.\n //\n // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor\n // for no r9-r10 dependency.\n //\n *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr\n // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,\n // store may be subject to SSB\n //\n // fix: also add an lfence when the slot contained a ptr\n //\n r8 = *(u64 *)(r9 - 8)\n // r8 = architecturally a scalar, speculatively a ptr\n //\n // leak ptr using branch-based cache side channel:\n r8 &= 1 // choose bit to leak\n if r8 == 0 goto SLOW // no mispredict\n // architecturally dead code if input r6 is 0,\n // only executes speculatively iff ptr bit is 1\n r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)\nSLOW:\n [...]\n\nAfter running this, the program can time the access to *(r7 + 0) to\ndetermine whether the chosen pointer bit was 0 or 1. Repeat this 64\ntimes to recover the whole address on amd64.\n\nIn summary, sanitization can only be skipped if one scalar is\noverwritten with another scalar. Scalar-confusion due to speculative\nstore bypass can not lead to invalid accesses because the pointer\nbounds deducted during verification are enforced using branchless\nlogic. See 979d63d50c0c (\"bpf: prevent out of bounds speculation on\npointer arithmetic\") for details.\n\nDo not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}\nbecause speculative leaks are likely unexpected if these were enabled.\nFor example, leaking the address to a protected log file may be acceptable\nwhile disabling the mitigation might unintentionally leak the address\ninto the cached-state of a map that is accessible to unprivileged\nprocesses."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Fix pointer-leak due to lowest speculative store bypass mitigation Para mitigar Spectre v4, 2039f26f3aca (\"bpf: Fix leakage due to lowest speculative store bypass mitigation\") inserta instrucciones lfence despu\u00e9s de 1) inicializar una ranura de pila y 2) derramar un puntero a la pila. Sin embargo, esto no cubre los casos en los que una ranura de pila se inicializa primero con un puntero (sujeto a depuraci\u00f3n) pero luego se sobrescribe con un escalar (no sujeto a depuraci\u00f3n porque la ranura ya estaba inicializada). En este caso, la segunda escritura puede estar sujeta a la derivaci\u00f3n de almac\u00e9n especulativo (SSB), creando una confusi\u00f3n de tipo de puntero especulativo como escalar. Esto permite que el programa filtre posteriormente el valor del puntero num\u00e9rico utilizando, por ejemplo, un canal lateral de cach\u00e9 basado en bifurcaci\u00f3n. Para solucionar esto, tambi\u00e9n depura los escalares si escriben en una ranura de pila que anteriormente conten\u00eda un puntero. Suponiendo que los derrames de puntero solo son generados por LLVM bajo presi\u00f3n de registro, el impacto en el rendimiento de la mayor\u00eda de los programas BPF del mundo real deber\u00eda ser m\u00ednimo. El siguiente c\u00f3digo de bytes BPF sin privilegios describe un exploit m\u00ednimo y su mitigaci\u00f3n: [...] // r6 = 0 o 1 (escalar, entrada de usuario desconocida) // r7 = ptr accesible para canal lateral // r10 = puntero de trama (fp), a filtrar // r9 = r10 # alias de fp para fomentar ssb *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, a filtrar // Se a\u00f1adi\u00f3 lfence debido al derrame de puntero a la pila. // // Omitido: bpf_ringbuf_output() ficticio para entrenar el predictor de alias // para la ausencia de dependencia entre r9 y r10. // *(u64 *)(r10 - 8) = r6 // fp[-8] = escalar, sobrescribe ptr // 2039f26f3aca: no se agreg\u00f3 lfence porque la ranura de pila no era STACK_INVALID, // el almacenamiento puede estar sujeto a SSB // // correcci\u00f3n: tambi\u00e9n se agrega una lfence cuando la ranura conten\u00eda un ptr // r8 = *(u64 *)(r9 - 8) // r8 = arquitect\u00f3nicamente un escalar, especulativamente un ptr // // fuga de ptr usando el canal lateral de cach\u00e9 basado en ramas: r8 &= 1 // elige el bit a fugar si r8 == 0 goto SLOW // sin predicci\u00f3n err\u00f3nea // c\u00f3digo arquitect\u00f3nicamente muerto si la entrada r6 es 0, // solo se ejecuta especulativamente si el bit ptr es 1 r8 = *(u64 *)(r7 + 0) # codificar bit en cach\u00e9 (0: lento, 1: r\u00e1pido) SLOW: [...] Despu\u00e9s de ejecutar esto, el programa Puede cronometrar el acceso a *(r7 + 0) para determinar si el bit de puntero seleccionado era 0 o 1. Repita esto 64 veces para recuperar la direcci\u00f3n completa en amd64. En resumen, la depuraci\u00f3n solo se puede omitir si un escalar se sobrescribe con otro. La confusi\u00f3n escalar debido a la omisi\u00f3n del almacenamiento especulativo no puede conducir a accesos inv\u00e1lidos porque los l\u00edmites del puntero deducidos durante la verificaci\u00f3n se aplican mediante l\u00f3gica sin ramificaciones. Consulte 979d63d50c0c (\"bpf: evitar especulaci\u00f3n fuera de los l\u00edmites en aritm\u00e9tica de punteros\") para obtener m\u00e1s detalles. No haga que la mitigaci\u00f3n dependa de !env->allow_{uninit_stack,ptr_leaks} porque es probable que se produzcan fugas especulativas inesperadas si se habilitan. Por ejemplo, filtrar la direcci\u00f3n a un archivo de registro protegido puede ser aceptable, mientras que deshabilitar la mitigaci\u00f3n podr\u00eda filtrar involuntariamente la direcci\u00f3n al estado en cach\u00e9 de un mapa al que pueden acceder procesos sin privilegios."}], "id": "CVE-2023-53024", "lastModified": "2026-01-22T20:56:59.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-27T17:15:51.980", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/81b3374944d201872cfcf82730a7860f8e7c31dd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aae109414a57ab4164218f36e2e4a17f027fcaaa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b0c89ef025562161242a7c19b213bd6b272e93df"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/da75dec7c6617bddad418159ffebcb133f008262"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e4f4db47794c9f474b184ee1418f42e6a07412b6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:6583", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-362.8.1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2023:6583", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-362.8.1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "kernel: bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation", "id": "2355458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355458"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbpf: Fix pointer-leak due to insufficient speculative store bypass mitigation\nTo mitigate Spectre v4, 2039f26f3aca (\"bpf: Fix leakage due to\ninsufficient speculative store bypass mitigation\") inserts lfence\ninstructions after 1) initializing a stack slot and 2) spilling a\npointer to the stack.\nHowever, this does not cover cases where a stack slot is first\ninitialized with a pointer (subject to sanitization) but then\noverwritten with a scalar (not subject to sanitization because\nthe slot was already initialized). In this case, the second write\nmay be subject to speculative store bypass (SSB) creating a\nspeculative pointer-as-scalar type confusion. This allows the\nprogram to subsequently leak the numerical pointer value using,\nfor example, a branch-based cache side channel.\nTo fix this, also sanitize scalars if they write a stack slot\nthat previously contained a pointer. Assuming that pointer-spills\nare only generated by LLVM on register-pressure, the performance\nimpact on most real-world BPF programs should be small.\nThe following unprivileged BPF bytecode drafts a minimal exploit\nand the mitigation:\n[...]\n// r6 = 0 or 1 (skalar, unknown user input)\n// r7 = accessible ptr for side channel\n// r10 = frame pointer (fp), to be leaked\n//\nr9 = r10 # fp alias to encourage ssb\n*(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked\n// lfence added here because of pointer spill to stack.\n//\n// Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor\n// for no r9-r10 dependency.\n//\n*(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr\n// 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,\n// store may be subject to SSB\n//\n// fix: also add an lfence when the slot contained a ptr\n//\nr8 = *(u64 *)(r9 - 8)\n// r8 = architecturally a scalar, speculatively a ptr\n//\n// leak ptr using branch-based cache side channel:\nr8 &= 1 // choose bit to leak\nif r8 == 0 goto SLOW // no mispredict\n// architecturally dead code if input r6 is 0,\n// only executes speculatively iff ptr bit is 1\nr8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)\nSLOW:\n[...]\nAfter running this, the program can time the access to *(r7 + 0) to\ndetermine whether the chosen pointer bit was 0 or 1. Repeat this 64\ntimes to recover the whole address on amd64.\nIn summary, sanitization can only be skipped if one scalar is\noverwritten with another scalar. Scalar-confusion due to speculative\nstore bypass can not lead to invalid accesses because the pointer\nbounds deducted during verification are enforced using branchless\nlogic. See 979d63d50c0c (\"bpf: prevent out of bounds speculation on\npointer arithmetic\") for details.\nDo not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}\nbecause speculative leaks are likely unexpected if these were enabled.\nFor example, leaking the address to a protected log file may be acceptable\nwhile disabling the mitigation might unintentionally leak the address\ninto the cached-state of a map that is accessible to unprivileged\nprocesses.", "A vulnerability was found in the Linux kernel's eBPF verifier function `check_stack_write()`, where pointer leakage can occur due to insufficient speculative store bypass mitigation. This issue occurs because the original mitigation inserts `lfence` instructions after initializing a stack slot and spilling a pointer to the stack. This does not protect against cases where a stack slot is initialized with a pointer and then overwritten with a scalar. When the overwrite happens, it may be subject to speculative story bypass (SSB), allowing the program to leak the numerical pointer value."], "name": "CVE-2023-53024", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-53024\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53024\nhttps://lore.kernel.org/linux-cve-announce/2025032719-CVE-2023-53024-8d19@gregkh/T"], "threat_severity": "Moderate"}

{}