| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091723-CVE-2023-53368-3371@gregkh>
Date: Wed, 17 Sep 2025 16:57:07 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53368: tracing: Fix race issue between cpu buffer write and swap
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix race issue between cpu buffer write and swap
Warning happened in rb_end_commit() at code:
if (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing)))
WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142
rb_commit+0x402/0x4a0
Call Trace:
ring_buffer_unlock_commit+0x42/0x250
trace_buffer_unlock_commit_regs+0x3b/0x250
trace_event_buffer_commit+0xe5/0x440
trace_event_buffer_reserve+0x11c/0x150
trace_event_raw_event_sched_switch+0x23c/0x2c0
__traceiter_sched_switch+0x59/0x80
__schedule+0x72b/0x1580
schedule+0x92/0x120
worker_thread+0xa0/0x6f0
It is because the race between writing event into cpu buffer and swapping
cpu buffer through file per_cpu/cpu0/snapshot:
Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1
-------- --------
tracing_snapshot_write()
[...]
ring_buffer_lock_reserve()
cpu_buffer = buffer->buffers[cpu]; // 1. Suppose find 'cpu_buffer_a';
[...]
rb_reserve_next_event()
[...]
ring_buffer_swap_cpu()
if (local_read(&cpu_buffer_a->committing))
goto out_dec;
if (local_read(&cpu_buffer_b->committing))
goto out_dec;
buffer_a->buffers[cpu] = cpu_buffer_b;
buffer_b->buffers[cpu] = cpu_buffer_a;
// 2. cpu_buffer has swapped here.
rb_start_commit(cpu_buffer);
if (unlikely(READ_ONCE(cpu_buffer->buffer)
!= buffer)) { // 3. This check passed due to 'cpu_buffer->buffer'
[...] // has not changed here.
return NULL;
}
cpu_buffer_b->buffer = buffer_a;
cpu_buffer_a->buffer = buffer_b;
[...]
// 4. Reserve event from 'cpu_buffer_a'.
ring_buffer_unlock_commit()
[...]
cpu_buffer = buffer->buffers[cpu]; // 5. Now find 'cpu_buffer_b' !!!
rb_commit(cpu_buffer)
rb_end_commit() // 6. WARN for the wrong 'committing' state !!!
Based on above analysis, we can easily reproduce by following testcase:
``` bash
#!/bin/bash
dmesg -n 7
sysctl -w kernel.panic_on_warn=1
TR=/sys/kernel/tracing
echo 7 > ${TR}/buffer_size_kb
echo "sched:sched_switch" > ${TR}/set_event
while [ true ]; do
echo 1 > ${TR}/per_cpu/cpu0/snapshot
done &
while [ true ]; do
echo 1 > ${TR}/per_cpu/cpu0/snapshot
done &
while [ true ]; do
echo 1 > ${TR}/per_cpu/cpu0/snapshot
done &
```
To fix it, IIUC, we can use smp_call_function_single() to do the swap on
the target cpu where the buffer is located, so that above race would be
avoided.
The Linux kernel CVE team has assigned CVE-2023-53368 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.10 with commit f1affcaaa861f27752a769f889bf1486ebd301fe and fixed in 5.4.257 with commit 90e037cabc2c2dfc39b3dd9c5b22ea91f995539a
Issue introduced in 3.10 with commit f1affcaaa861f27752a769f889bf1486ebd301fe and fixed in 5.10.195 with commit c5d30d6aa83d99fba8dfdd9cf6c4e4e7a63244db
Issue introduced in 3.10 with commit f1affcaaa861f27752a769f889bf1486ebd301fe and fixed in 5.15.132 with commit 6182318ac04648b46db9d441fd7d696337fcdd0b
Issue introduced in 3.10 with commit f1affcaaa861f27752a769f889bf1486ebd301fe and fixed in 6.1.53 with commit 74c85396bd73eca80b96510b4edf93b9a3aff75f
Issue introduced in 3.10 with commit f1affcaaa861f27752a769f889bf1486ebd301fe and fixed in 6.4.16 with commit 89c89da92a60028013f9539be0dcce7e44405a43
Issue introduced in 3.10 with commit f1affcaaa861f27752a769f889bf1486ebd301fe and fixed in 6.5.3 with commit 37ca1b686078b00cc4ffa008e2190615f7709b5d
Issue introduced in 3.10 with commit f1affcaaa861f27752a769f889bf1486ebd301fe and fixed in 6.6 with commit 3163f635b20e9e1fb4659e74f47918c9dddfe64e
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-53368
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
kernel/trace/trace.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/90e037cabc2c2dfc39b3dd9c5b22ea91f995539a
https://git.kernel.org/stable/c/c5d30d6aa83d99fba8dfdd9cf6c4e4e7a63244db
https://git.kernel.org/stable/c/6182318ac04648b46db9d441fd7d696337fcdd0b
https://git.kernel.org/stable/c/74c85396bd73eca80b96510b4edf93b9a3aff75f
https://git.kernel.org/stable/c/89c89da92a60028013f9539be0dcce7e44405a43
https://git.kernel.org/stable/c/37ca1b686078b00cc4ffa008e2190615f7709b5d
https://git.kernel.org/stable/c/3163f635b20e9e1fb4659e74f47918c9dddfe64e
Powered by blists - more mailing lists