CVE-2023-53221

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix memleak due to fentry attach failure

If it fails to attach fentry, the allocated bpf trampoline image will be left in the system. That can be verified by checking /proc/kallsyms.

This meamleak can be verified by a simple bpf program as follows:

SEC("fentry/trap_init") int fentry_run() { return 0; }

It will fail to attach trap_init because this function is freed after kernel init, and then we can find the trampoline image is left in the system by checking /proc/kallsyms.

$ tail /proc/kallsyms ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf] ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf]

$ bpftool btf dump file /sys/kernel/btf/vmlinux | grep "FUNC 'trap_init'" [2522] FUNC 'trap_init' type_id=119 linkage=static

$ echo $((6442453466 & 0x7fffffff)) 2522

Note that there are two left bpf trampoline images, that is because the libbpf will fallback to raw tracepoint if -EINVAL is returned.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxe21aa341785c679dd409c8cb71f864c00fe6c463 < 20109ddd5bea2c24d790debf5d02584ef24c3f5eaffected
LinuxLinuxe21aa341785c679dd409c8cb71f864c00fe6c463 < f72c67d1a82dada7d6d504c806e111e913721a30affected
LinuxLinuxe21aa341785c679dd409c8cb71f864c00fe6c463 < 6aa27775db63ba8c7c73891c7dfb71ddc230c48daffected
LinuxLinuxe21aa341785c679dd409c8cb71f864c00fe6c463 < 108598c39eefbedc9882273ac0df96127a629220affected
LinuxLinuxe21d2b92354b3cd25dd774ebb0f0e52ff04a7861affected
LinuxLinux85d177f56e5256e14b74a65940f981f6e3e8bb32affected
LinuxLinux5.10.28 < 5.11affected
LinuxLinux5.11.11 < 5.12affected
LinuxLinux5.12affected
LinuxLinux0 < 5.12unaffected
LinuxLinux6.1.39 <= 6.1.*unaffected
LinuxLinux6.3.13 <= 6.3.*unaffected
LinuxLinux6.4.4 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References