CVE-2023-53135 in Linuxinfo

Summary

by MITRE • 05/02/2025

In the Linux kernel, the following vulnerability has been resolved:

riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode

When CONFIG_FRAME_POINTER is unset, the stack unwinding function walk_stackframe randomly reads the stack and then, when KASAN is enabled, it can lead to the following backtrace:

[ 0.000000] ==================================================================
[ 0.000000] BUG: KASAN: stack-out-of-bounds in walk_stackframe+0xa6/0x11a
[ 0.000000] Read of size 8 at addr ffffffff81807c40 by task swapper/0
[ 0.000000]
[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-12919-g24203e6db61f #43
[ 0.000000] Hardware name: riscv-virtio,qemu (DT)
[ 0.000000] Call Trace:
[ 0.000000] [<ffffffff80007ba8>] walk_stackframe+0x0/0x11a
[ 0.000000] [<ffffffff80099ecc>] init_param_lock+0x26/0x2a
[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
[ 0.000000] [<ffffffff80c49c80>] dump_stack_lvl+0x22/0x36
[ 0.000000] [<ffffffff80c3783e>] print_report+0x198/0x4a8
[ 0.000000] [<ffffffff80099ecc>] init_param_lock+0x26/0x2a
[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
[ 0.000000] [<ffffffff8015f68a>] kasan_report+0x9a/0xc8
[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
[ 0.000000] [<ffffffff8006e99c>] desc_make_final+0x80/0x84
[ 0.000000] [<ffffffff8009a04e>] stack_trace_save+0x88/0xa6
[ 0.000000] [<ffffffff80099fc2>] filter_irq_stacks+0x72/0x76
[ 0.000000] [<ffffffff8006b95e>] devkmsg_read+0x32a/0x32e
[ 0.000000] [<ffffffff8015ec16>] kasan_save_stack+0x28/0x52
[ 0.000000] [<ffffffff8006e998>] desc_make_final+0x7c/0x84
[ 0.000000] [<ffffffff8009a04a>] stack_trace_save+0x84/0xa6
[ 0.000000] [<ffffffff8015ec52>] kasan_set_track+0x12/0x20
[ 0.000000] [<ffffffff8015f22e>] __kasan_slab_alloc+0x58/0x5e
[ 0.000000] [<ffffffff8015e7ea>] __kmem_cache_create+0x21e/0x39a
[ 0.000000] [<ffffffff80e133ac>] create_boot_cache+0x70/0x9c
[ 0.000000] [<ffffffff80e17ab2>] kmem_cache_init+0x6c/0x11e
[ 0.000000] [<ffffffff80e00fd6>] mm_init+0xd8/0xfe
[ 0.000000] [<ffffffff80e011d8>] start_kernel+0x190/0x3ca
[ 0.000000]
[ 0.000000] The buggy address belongs to stack of task swapper/0
[ 0.000000] and is located at offset 0 in frame:
[ 0.000000] stack_trace_save+0x0/0xa6
[ 0.000000]
[ 0.000000] This frame has 1 object:
[ 0.000000] [32, 56) 'c'
[ 0.000000]
[ 0.000000] The buggy address belongs to the physical page:
[ 0.000000] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81a07
[ 0.000000] flags: 0x1000(reserved|zone=0)
[ 0.000000] raw: 0000000000001000 ff600003f1e3d150 ff600003f1e3d150 0000000000000000
[ 0.000000] raw: 0000000000000000 0000000000000000 00000001ffffffff
[ 0.000000] page dumped because: kasan: bad access detected
[ 0.000000]
[ 0.000000] Memory state around the buggy address:
[ 0.000000] ffffffff81807b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 0.000000] ffffffff81807b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 0.000000] >ffffffff81807c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3
[ 0.000000] ^
[ 0.000000] ffffffff81807c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[ 0.000000] ffffffff81807d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 0.000000] ==================================================================

Fix that by using READ_ONCE_NOCHECK when reading the stack in imprecise mode.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 01/31/2026

The vulnerability identified as CVE-2023-53135 resides within the Linux kernel's RISC-V architecture implementation, specifically affecting stack unwinding operations when frame pointers are disabled. This issue manifests when KASAN (Kernel Address Sanitizer) is enabled, creating a scenario where the walk_stackframe function attempts to read from stack memory without proper bounds checking. The flaw occurs during imprecise unwinding mode, where the kernel lacks accurate frame pointer information to determine valid stack boundaries, leading to out-of-bounds memory accesses that trigger KASAN warnings. The vulnerability is particularly concerning because it affects the kernel's ability to properly trace execution paths during boot and system initialization, potentially compromising system stability and security monitoring capabilities. The root cause stems from the function's improper handling of stack memory access patterns when CONFIG_FRAME_POINTER is unset, which is common in optimized kernel builds where frame pointers are omitted to reduce memory overhead and improve performance.

The technical implementation of this vulnerability involves the stack unwinding mechanism that attempts to reconstruct call stacks for debugging and error reporting purposes. When KASAN is active, the system performs strict memory access validation, but the walk_stackframe function fails to account for the imprecise nature of stack traversal without frame pointers. This leads to situations where the function reads memory locations that may not be properly aligned or within valid stack boundaries, particularly when dealing with early boot initialization code. The specific error message indicates a read operation of size 8 bytes at address ffffffffa1807c40, which belongs to the kernel's swapper task stack, demonstrating that the vulnerability occurs in the context of kernel initialization where stack layout is not yet fully established. The call trace shows the issue propagates through multiple kernel subsystems including stack trace saving, kasan reporting, and memory management initialization functions, indicating that this is not a localized problem but rather affects fundamental kernel debugging and monitoring capabilities.

The operational impact of CVE-2023-53135 extends beyond simple kernel stability issues, as it can compromise the integrity of security monitoring systems and debugging capabilities during critical system boot phases. The vulnerability essentially creates a condition where legitimate kernel debugging and error reporting mechanisms become unreliable, potentially masking other security issues or preventing proper forensic analysis of system crashes. This is particularly problematic in environments where kernel memory safety is paramount, such as security-sensitive applications or embedded systems. The issue affects RISC-V platforms specifically, making it relevant to systems using this architecture, including virtualized environments and embedded devices that rely on RISC-V processors. The fix implemented addresses the core problem by introducing READ_ONCE_NOCHECK when reading stack memory in imprecise unwinding mode, which allows for more permissive but still safe memory access patterns that don't trigger KASAN false positives while maintaining the essential functionality of stack unwinding.

This vulnerability aligns with CWE-129, which describes improper validation of array indices, and relates to ATT&CK technique T1059.006 for system execution layer commands and T1562.001 for disabling security tools, as the improper stack unwinding can mask other security issues or prevent proper security monitoring. The fix represents a targeted approach to address memory safety concerns while maintaining kernel functionality, and follows security best practices for kernel memory management. The resolution ensures that when frame pointers are not available, the kernel can still perform stack unwinding operations without triggering false positive KASAN alerts, thereby preserving the integrity of kernel debugging and security monitoring capabilities. This vulnerability highlights the complexity of maintaining memory safety in kernel code, particularly when dealing with architecture-specific optimizations and debugging features that must work reliably across different system states and configurations.

Responsible

Linux

Reservation

05/02/2025

Disclosure

05/02/2025

Moderation

accepted

CPE

ready

EPSS

0.00152

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!