CVE-2024-53687: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-53687 is a vulnerability in the Linux kernel affecting the RISC-V architecture implementation of KFENCE (Kernel Electric-Fence). The issue was discovered when flushtlbkernel_range() was found to use IPIs (Inter-Processor Interrupts) to flush the TLBs of all cores, which triggered warnings when interrupts were disabled. The vulnerability was disclosed on January 11, 2025 (NVD).

The vulnerability occurs in the KFENCE implementation for RISC-V processors, specifically in the kfenceprotectpage() function. The issue arises when flushtlbkernel_range() attempts to use IPIs to flush Translation Lookaside Buffers (TLBs) across all cores while interrupts are disabled, leading to system warnings. The fix involves modifying the code to only flush the local TLB and allowing lazy KFENCE page fault handling to manage faults that might occur when a core has an old protected page table entry version cached in its TLB (Kernel Commit).

The vulnerability affects the KFENCE memory debugging feature on RISC-V systems. While the issue leads to potential inaccuracies in memory debugging, these inaccuracies are considered tolerable when using KFENCE. The impact is limited to debugging functionality and does not present a direct security risk (Kernel Commit).

The issue has been fixed in the Linux kernel through a patch that modifies the TLB flushing behavior in the KFENCE implementation. The fix involves using localflushtlbkernelrange() instead of flushtlbkernel_range() and adding proper preemption control. The patch has been merged into the mainline kernel and is being backported to stable kernel versions (Kernel Commit).