CVE-2023-3640: Kernel: x86/mm: a per-cpu entry area leak was identified through the init_cea_offsets function when prefetchnta and prefetcht2 instructions being used for the per-cpu entry area mapping to the user space
First published: Mon Jun 26 2023(Updated: )
A flaw in the Linux Kernel found. First, based on the previous similar <a href="https://access.redhat.com/security/cve/CVE-2023-0597">CVE-2023-0597</a>, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. In systems with KPTI enabled, only a minimal amount of kernel virtual memory is mapped for users, such as exception/system call entry handlers and any other necessary content for user-to-kernel transitions. However, discovered that the per-cpu entry area was also mapped to user space. As a result, the prefetchnta and prefetcht2 instructions are still effective, allowing us to leak the per-cpu entry area by conducting time-based attacks using prefetch instructions in the address range of 0xfffffe0000000000-0xfffffefffffff000. In fact, due to the insufficiently large address offset range and the step size of 0x3b000, the cpu entry area can be obtained within one or two minutes. Essentially, this is a CPU-level address leak vulnerability that affects the vast majority of Intel CPUs (possibly AMD CPUs as well), due to the inability to resolve the issues introduced by KPTI (Kernel Page Table Isolation). Reference: <a href="https://dl.acm.org/doi/fullHtml/10.1145/3623652.3623669">https://dl.acm.org/doi/fullHtml/10.1145/3623652.3623669</a>
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | ||
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-3640?
CVE-2023-3640 is a possible unauthorized memory access flaw found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory.
What is the severity of CVE-2023-3640?
CVE-2023-3640 has a severity rating of 7.8, which is considered high.
Which software is affected by CVE-2023-3640?
Linux kernel and Redhat Enterprise Linux versions 8.0 and 9.0 are affected by CVE-2023-3640.
How can I fix CVE-2023-3640?
To fix CVE-2023-3640, it is recommended to apply the necessary patches provided by the Linux kernel or Redhat Enterprise Linux.
Where can I find more information about CVE-2023-3640?
You can find more information about CVE-2023-3640 in the following references: [Redhat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2217523), [Red Hat Security Advisory](https://access.redhat.com/security/cve/CVE-2023-3640), [Red Hat Security Advisory](https://access.redhat.com/security/cve/CVE-2023-0597).
- collector/nvd-latest
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/type
- agent/weakness
- agent/severity
- agent/title
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-3640
- agent/references
- agent/tags
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- vendor/linux
- canonical/linux linux kernel
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- version/red hat enterprise linux/9.0