CVE-2023-53024

CVE-2023-53024 is a pointer leak vulnerability in the Linux kernel's BPF subsystem stemming from insufficient speculative store bypass (SSB) mitigation for Spectre v4. A prior mitigation inserted lfence instructions after initializing a stack slot with a pointer or spilling a pointer to the stack. However, it failed to address cases where a stack slot is first initialized with a pointer (requiring sanitization) and then overwritten with a scalar value. This allows the second write to be vulnerable to SSB, resulting in speculative pointer-as-scalar type confusion that enables leakage of the pointer's numerical value.

A local attacker with low privileges (PR:L) can exploit this by loading an unprivileged BPF program. The attack involves spilling a kernel pointer, such as the frame pointer, to a stack slot, overwriting it with a user-controlled scalar, and then using a branch-based cache side channel to leak pointer bits. For example, the provided BPF bytecode aliases the frame pointer, stores it to the stack (triggering an lfence), overwrites with a scalar (bypassing lfence due to prior initialization), and speculatively loads the pointer to encode bits in cache state via timed accesses. Repeating this recovers full 64-bit addresses on amd64, achieving high confidentiality impact (C:H) without integrity or availability disruption.

Kernel patches address this by extending sanitization to scalars overwriting stack slots that previously held pointers, inserting lfence instructions in these cases. Relevant stable commits include 01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528, 81b3374944d201872cfcf82730a7860f8e7c31dd, aae109414a57ab4164218f36e2e4a17f027fcaaa, b0c89ef025562161242a7c19b213bd6b272e93df, and da75dec7c6617bddad418159ffebcb133f008262. The fix assumes pointer spills occur under register pressure from LLVM, minimizing performance impact on real-world BPF programs, and does not depend on environment flags like allow_uninit_stack or ptr_leaks to ensure consistent protection.