CVE-2023-53713
Description
In the Linux kernel, the following vulnerability has been resolved:
arm64: sme: Use STR P to clear FFR context field in streaming SVE mode
The FFR is a predicate register which can vary between 16 and 256 bits in size depending upon the configured vector length. When saving the SVE state in streaming SVE mode, the FFR register is inaccessible and so commit 9f5848665788 ("arm64/sve: Make access to FFR optional") simply clears the FFR field of the in-memory context structure. Unfortunately, it achieves this using an unconditional 8-byte store and so if the SME vector length is anything other than 64 bytes in size we will either fail to clear the entire field or, worse, we will corrupt memory immediately following the structure. This has led to intermittent kfence splats in CI [1] and can trigger kmalloc Redzone corruption messages when running the 'fp-stress' kselftest:
| ============================================================================= | BUG kmalloc-1k (Not tainted): kmalloc Redzone overwritten | ----------------------------------------------------------------------------- | | 0xffff000809bf1e22-0xffff000809bf1e27 @offset=7714. First byte 0x0 instead of 0xcc | Allocated in do_sme_acc+0x9c/0x220 age=2613 cpu=1 pid=531 | __kmalloc+0x8c/0xcc | do_sme_acc+0x9c/0x220 | ...
Replace the 8-byte store with a store of a predicate register which has been zero-initialised with PFALSE, ensuring that the entire field is cleared in memory.
[1] https://lore.kernel.org/r/CA+G9fYtU7HsV0R0dp4XEH5xXHSJFw8KyDf5VQrLLfMxWfxQkag@mail.gmail.com
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A bug in the Linux kernel's ARM64 SME support causes memory corruption when clearing the FFR register context in streaming SVE mode, leading to kfence splats and kernel memory corruption.
A flaw in the Linux kernel's ARM64 Scalable Matrix Extension (SME) support results in memory corruption when the system operates in streaming SVE mode [1]. The FFR (First Fault Register) is a predicate register whose size varies (16–256 bits) based on the configured vector length [1]. Commit 9f5848665788 made access to FFR optional by clearing its in-memory context field, but it did so using an unconditional 8-byte store (STR) [1]. If the SME vector length is not exactly 64 bytes, this store either fails to zero the entire field or corrupts memory adjacent to the structure [1].
The issue is exploitable without special privileges; any code path that triggers saving SVE state in streaming SVE mode can encounter the bug [1]. If the vector length is larger than 64 bytes, only the first 8 bytes are cleared, leaving stale data in the rest of the FFR field. If the vector length is smaller, the 8-byte write overwrites memory beyond the field, causing buffer overflow [1]. This has been observed in practice as intermittent kfence splats and kmalloc Redzone corruption during the fp-stress kselftest [1].
Impact includes kernel memory corruption, which can lead to system instability, data corruption, or potentially exploitable memory safety violations (e.g., heap overflow) [1]. The corruption manifests as kmalloc Redzone overwrites, indicating that adjacent kernel heap objects are being corrupted [1].
The fix replaces the 8-byte store with a store of a zero-initialised predicate register (using PFALSE) [1]. This ensures the entire FFR field is correctly cleared regardless of vector length [1]. The patch has been applied to the stable kernel tree and is available in the referenced commit [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
497669214944e8769a62faacb1403a899153a893b24181b4cVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.