CVE-2023-53642 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
x86: fix clear_user_rep_good() exception handling annotation
This code no longer exists in mainline, because it was removed in commit d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory clearing") upstream.
However, rather than backport the full range of x86 memory clearing and copying cleanups, fix the exception table annotation placement for the final 'rep movsb' in clear_user_rep_good(): rather than pointing at the actual instruction that did the user space access, it pointed to the register move just before it.
That made sense from a code flow standpoint, but not from an actual usage standpoint: it means that if user access takes an exception, the exception handler won't actually find the instruction in the exception tables.
As a result, rather than fixing it up and returning -EFAULT, it would then turn it into a kernel oops report instead, something like:
BUG: unable to handle page fault for address: 0000000020081000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page ... RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147 ... Call Trace: __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline]
clear_user arch/x86/include/asm/uaccess_64.h:124 [inline]
iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800 iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline]
iomap_dio_iter fs/iomap/direct-io.c:440 [inline]
__iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601 iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689 ext4_dio_read_iter fs/ext4/file.c:94 [inline]
ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145 call_read_iter include/linux/fs.h:2183 [inline]
do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733 do_iter_read+0x2f2/0x750 fs/read_write.c:796 vfs_readv+0xe5/0x150 fs/read_write.c:916 do_preadv+0x1b6/0x270 fs/read_write.c:1008 __do_sys_preadv2 fs/read_write.c:1070 [inline]
__se_sys_preadv2 fs/read_write.c:1061 [inline]
__x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
which then looks like a filesystem bug rather than the incorrect exception annotation that it is.
[ The alternative to this one-liner fix is to take the upstream series
that cleans this all up:
68674f94ffc9 ("x86: don't use REP_GOOD or ERMS for small memory copies") 20f3337d350c ("x86: don't use REP_GOOD or ERMS for small memory clearing") adfcf4231b8c ("x86: don't use REP_GOOD or ERMS for user memory copies") * d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory clearing") 3639a535587d ("x86: move stac/clac from user copy routines into callers") 577e6a7fd50d ("x86: inline the 'rep movs' in user copies for the FSRM case") 8c9b6a88b7e2 ("x86: improve on the non-rep 'clear_user' function") 427fda2c8a49 ("x86: improve on the non-rep 'copy_user' function") * e046fe5a36a9 ("x86: set FSRS automatically on AMD CPUs that have FSRM") e1f2750edc4a ("x86: remove 'zerorest' argument from __copy_user_nocache()") 034ff37d3407 ("x86: rewrite '__copy_user_nocache' function")
with either the whole series or at a minimum the two marked commits being needed to fix this issue ]
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified as CVE-2023-53642 resides within the Linux kernel's x86 architecture implementation, specifically concerning the handling of user memory clearing operations. This issue manifests in the incorrect annotation of exception tables for the clear_user_rep_good() function, which was originally designed to manage memory clearing using the rep movsb instruction. The problem stems from a misalignment between the exception table entry and the actual instruction that performs user space memory access, causing improper exception handling during kernel operations. This flaw impacts systems utilizing the x86 architecture where memory clearing operations are performed with the rep movsb instruction, particularly affecting kernel versions that maintain this legacy code path.
The technical flaw lies in the exception table annotation placement within the assembly code of clear_user_rep_good(), where the exception table entry points to a register move instruction preceding the actual user space access rather than the rep movsb instruction itself. This misconfiguration results in exception handlers being unable to locate the correct instruction when page faults occur during user memory access operations. The flaw is categorized under CWE-248, as it represents an improper exception handling scenario where the exception table entries do not correctly correspond to the actual instructions that may generate exceptions. From an ATT&CK perspective, this vulnerability maps to T1547.001 (Registry Run Keys/Startup Folder) and T1059.001 (Command and Scripting Interpreter) through potential privilege escalation paths that could occur if the kernel oops is not properly handled, though the direct impact is more focused on kernel stability and error reporting.
The operational impact of this vulnerability is significant for kernel stability and debugging accuracy, as it transforms legitimate -EFAULT error conditions into kernel oops reports that appear as filesystem or memory management bugs rather than the actual exception table annotation issue. When user memory access fails during a clear_user operation, the kernel's exception handling mechanism fails to properly route the error, leading to confusing error messages that obscure the true nature of the problem. This misdirection can complicate debugging efforts and potentially mask other underlying issues. The vulnerability affects systems where the rep movsb instruction is used for user memory clearing operations, particularly in file system operations involving direct I/O and memory management functions such as iov_iter_zero, iomap_dio_hole_iter, and related functions that utilize the problematic clear_user_rep_good function.
The mitigation approach for CVE-2023-53642 involves either applying the targeted one-line fix that corrects the exception table annotation placement to point to the actual instruction performing user space access, or implementing a broader set of upstream changes that completely remove the problematic rep movsb-based clearing mechanism. The recommended solution aligns with the upstream commit d2c95f9d6802 that eliminated the use of REP_GOOD or ERMS for user memory clearing, which represents a more comprehensive approach to addressing the underlying architectural issues. Organizations should prioritize applying the specific fix that corrects the exception table annotation, as this addresses the immediate vulnerability without requiring extensive code changes. The fix ensures that when page faults occur during user memory access, the exception handler can properly identify the failing instruction and return the appropriate -EFAULT error code instead of generating a kernel oops that obscures the true nature of the problem. This approach maintains backward compatibility while ensuring proper error handling and system stability.