CVE-2023-54303 (GCVE-0-2023-54303)
Vulnerability from cvelistv5
Published
2025-12-30 12:23
Modified
2025-12-30 12:23
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Disable preemption in bpf_perf_event_output The nesting protection in bpf_perf_event_output relies on disabled preemption, which is guaranteed for kprobes and tracepoints. However bpf_perf_event_output can be also called from uprobes context through bpf_prog_run_array_sleepable function which disables migration, but keeps preemption enabled. This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like: kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle page fault for address: ffffffff82be3eea ... Call Trace: ? __die+0x1f/0x70 ? page_fault_oops+0x176/0x4d0 ? exc_page_fault+0x132/0x230 ? asm_exc_page_fault+0x22/0x30 ? perf_output_sample+0x12b/0x910 ? perf_event_output+0xd0/0x1d0 ? bpf_perf_event_output+0x162/0x1d0 ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87 ? __uprobe_perf_func+0x12b/0x540 ? uprobe_dispatcher+0x2c4/0x430 ? uprobe_notify_resume+0x2da/0xce0 ? atomic_notifier_call_chain+0x7b/0x110 ? exit_to_user_mode_prepare+0x13e/0x290 ? irqentry_exit_to_user_mode+0x5/0x30 ? asm_exc_int3+0x35/0x40 Fixing this by disabling preemption in bpf_perf_event_output.
References
Impacted products
Vendor Product Version
Linux Linux Version: 8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9
Version: 8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9
Version: 8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/bpf_trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3654ed5daf492463c3faa434c7000d45c2da2ace",
              "status": "affected",
              "version": "8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9",
              "versionType": "git"
            },
            {
              "lessThan": "a0ac32cf61e5a76e2429e486925a52ee41dd75e3",
              "status": "affected",
              "version": "8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9",
              "versionType": "git"
            },
            {
              "lessThan": "f2c67a3e60d1071b65848efaa8c3b66c363dd025",
              "status": "affected",
              "version": "8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/bpf_trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.45",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.45",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.10",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Disable preemption in bpf_perf_event_output\n\nThe nesting protection in bpf_perf_event_output relies on disabled\npreemption, which is guaranteed for kprobes and tracepoints.\n\nHowever bpf_perf_event_output can be also called from uprobes context\nthrough bpf_prog_run_array_sleepable function which disables migration,\nbut keeps preemption enabled.\n\nThis can cause task to be preempted by another one inside the nesting\nprotection and lead eventually to two tasks using same perf_sample_data\nbuffer and cause crashes like:\n\n  kernel tried to execute NX-protected page - exploit attempt? (uid: 0)\n  BUG: unable to handle page fault for address: ffffffff82be3eea\n  ...\n  Call Trace:\n   ? __die+0x1f/0x70\n   ? page_fault_oops+0x176/0x4d0\n   ? exc_page_fault+0x132/0x230\n   ? asm_exc_page_fault+0x22/0x30\n   ? perf_output_sample+0x12b/0x910\n   ? perf_event_output+0xd0/0x1d0\n   ? bpf_perf_event_output+0x162/0x1d0\n   ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87\n   ? __uprobe_perf_func+0x12b/0x540\n   ? uprobe_dispatcher+0x2c4/0x430\n   ? uprobe_notify_resume+0x2da/0xce0\n   ? atomic_notifier_call_chain+0x7b/0x110\n   ? exit_to_user_mode_prepare+0x13e/0x290\n   ? irqentry_exit_to_user_mode+0x5/0x30\n   ? asm_exc_int3+0x35/0x40\n\nFixing this by disabling preemption in bpf_perf_event_output."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:23:37.827Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3654ed5daf492463c3faa434c7000d45c2da2ace"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0ac32cf61e5a76e2429e486925a52ee41dd75e3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2c67a3e60d1071b65848efaa8c3b66c363dd025"
        }
      ],
      "title": "bpf: Disable preemption in bpf_perf_event_output",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54303",
    "datePublished": "2025-12-30T12:23:37.827Z",
    "dateReserved": "2025-12-30T12:06:44.529Z",
    "dateUpdated": "2025-12-30T12:23:37.827Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54303\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:19.437\",\"lastModified\":\"2025-12-31T20:42:43.210\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Disable preemption in bpf_perf_event_output\\n\\nThe nesting protection in bpf_perf_event_output relies on disabled\\npreemption, which is guaranteed for kprobes and tracepoints.\\n\\nHowever bpf_perf_event_output can be also called from uprobes context\\nthrough bpf_prog_run_array_sleepable function which disables migration,\\nbut keeps preemption enabled.\\n\\nThis can cause task to be preempted by another one inside the nesting\\nprotection and lead eventually to two tasks using same perf_sample_data\\nbuffer and cause crashes like:\\n\\n  kernel tried to execute NX-protected page - exploit attempt? (uid: 0)\\n  BUG: unable to handle page fault for address: ffffffff82be3eea\\n  ...\\n  Call Trace:\\n   ? __die+0x1f/0x70\\n   ? page_fault_oops+0x176/0x4d0\\n   ? exc_page_fault+0x132/0x230\\n   ? asm_exc_page_fault+0x22/0x30\\n   ? perf_output_sample+0x12b/0x910\\n   ? perf_event_output+0xd0/0x1d0\\n   ? bpf_perf_event_output+0x162/0x1d0\\n   ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87\\n   ? __uprobe_perf_func+0x12b/0x540\\n   ? uprobe_dispatcher+0x2c4/0x430\\n   ? uprobe_notify_resume+0x2da/0xce0\\n   ? atomic_notifier_call_chain+0x7b/0x110\\n   ? exit_to_user_mode_prepare+0x13e/0x290\\n   ? irqentry_exit_to_user_mode+0x5/0x30\\n   ? asm_exc_int3+0x35/0x40\\n\\nFixing this by disabling preemption in bpf_perf_event_output.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3654ed5daf492463c3faa434c7000d45c2da2ace\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a0ac32cf61e5a76e2429e486925a52ee41dd75e3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f2c67a3e60d1071b65848efaa8c3b66c363dd025\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.