| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091513-CVE-2023-53221-c23e@gregkh>
Date: Mon, 15 Sep 2025 16:21:55 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53221: bpf: Fix memleak due to fentry attach failure
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix memleak due to fentry attach failure
If it fails to attach fentry, the allocated bpf trampoline image will be
left in the system. That can be verified by checking /proc/kallsyms.
This meamleak can be verified by a simple bpf program as follows:
SEC("fentry/trap_init")
int fentry_run()
{
return 0;
}
It will fail to attach trap_init because this function is freed after
kernel init, and then we can find the trampoline image is left in the
system by checking /proc/kallsyms.
$ tail /proc/kallsyms
ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf]
ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf]
$ bpftool btf dump file /sys/kernel/btf/vmlinux | grep "FUNC 'trap_init'"
[2522] FUNC 'trap_init' type_id=119 linkage=static
$ echo $((6442453466 & 0x7fffffff))
2522
Note that there are two left bpf trampoline images, that is because the
libbpf will fallback to raw tracepoint if -EINVAL is returned.
The Linux kernel CVE team has assigned CVE-2023-53221 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.12 with commit e21aa341785c679dd409c8cb71f864c00fe6c463 and fixed in 6.1.39 with commit 20109ddd5bea2c24d790debf5d02584ef24c3f5e
Issue introduced in 5.12 with commit e21aa341785c679dd409c8cb71f864c00fe6c463 and fixed in 6.3.13 with commit f72c67d1a82dada7d6d504c806e111e913721a30
Issue introduced in 5.12 with commit e21aa341785c679dd409c8cb71f864c00fe6c463 and fixed in 6.4.4 with commit 6aa27775db63ba8c7c73891c7dfb71ddc230c48d
Issue introduced in 5.12 with commit e21aa341785c679dd409c8cb71f864c00fe6c463 and fixed in 6.5 with commit 108598c39eefbedc9882273ac0df96127a629220
Issue introduced in 5.10.28 with commit e21d2b92354b3cd25dd774ebb0f0e52ff04a7861
Issue introduced in 5.11.11 with commit 85d177f56e5256e14b74a65940f981f6e3e8bb32
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-53221
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
kernel/bpf/trampoline.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/20109ddd5bea2c24d790debf5d02584ef24c3f5e
https://git.kernel.org/stable/c/f72c67d1a82dada7d6d504c806e111e913721a30
https://git.kernel.org/stable/c/6aa27775db63ba8c7c73891c7dfb71ddc230c48d
https://git.kernel.org/stable/c/108598c39eefbedc9882273ac0df96127a629220
Powered by blists - more mailing lists