FKIE_CVE-2023-53368

Vulnerability from fkie_nvd - Published: 2025-09-17 15:15 - Updated: 2025-09-18 13:43
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race issue between cpu buffer write and swap Warning happened in rb_end_commit() at code: if (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing))) WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142 rb_commit+0x402/0x4a0 Call Trace: ring_buffer_unlock_commit+0x42/0x250 trace_buffer_unlock_commit_regs+0x3b/0x250 trace_event_buffer_commit+0xe5/0x440 trace_event_buffer_reserve+0x11c/0x150 trace_event_raw_event_sched_switch+0x23c/0x2c0 __traceiter_sched_switch+0x59/0x80 __schedule+0x72b/0x1580 schedule+0x92/0x120 worker_thread+0xa0/0x6f0 It is because the race between writing event into cpu buffer and swapping cpu buffer through file per_cpu/cpu0/snapshot: Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1 -------- -------- tracing_snapshot_write() [...] ring_buffer_lock_reserve() cpu_buffer = buffer->buffers[cpu]; // 1. Suppose find 'cpu_buffer_a'; [...] rb_reserve_next_event() [...] ring_buffer_swap_cpu() if (local_read(&cpu_buffer_a->committing)) goto out_dec; if (local_read(&cpu_buffer_b->committing)) goto out_dec; buffer_a->buffers[cpu] = cpu_buffer_b; buffer_b->buffers[cpu] = cpu_buffer_a; // 2. cpu_buffer has swapped here. rb_start_commit(cpu_buffer); if (unlikely(READ_ONCE(cpu_buffer->buffer) != buffer)) { // 3. This check passed due to 'cpu_buffer->buffer' [...] // has not changed here. return NULL; } cpu_buffer_b->buffer = buffer_a; cpu_buffer_a->buffer = buffer_b; [...] // 4. Reserve event from 'cpu_buffer_a'. ring_buffer_unlock_commit() [...] cpu_buffer = buffer->buffers[cpu]; // 5. Now find 'cpu_buffer_b' !!! rb_commit(cpu_buffer) rb_end_commit() // 6. WARN for the wrong 'committing' state !!! Based on above analysis, we can easily reproduce by following testcase: ``` bash #!/bin/bash dmesg -n 7 sysctl -w kernel.panic_on_warn=1 TR=/sys/kernel/tracing echo 7 > ${TR}/buffer_size_kb echo "sched:sched_switch" > ${TR}/set_event while [ true ]; do echo 1 > ${TR}/per_cpu/cpu0/snapshot done & while [ true ]; do echo 1 > ${TR}/per_cpu/cpu0/snapshot done & while [ true ]; do echo 1 > ${TR}/per_cpu/cpu0/snapshot done & ``` To fix it, IIUC, we can use smp_call_function_single() to do the swap on the target cpu where the buffer is located, so that above race would be avoided.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3163f635b20e9e1fb4659e74f47918c9dddfe64e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/37ca1b686078b00cc4ffa008e2190615f7709b5d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6182318ac04648b46db9d441fd7d696337fcdd0b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/74c85396bd73eca80b96510b4edf93b9a3aff75f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/89c89da92a60028013f9539be0dcce7e44405a43
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/90e037cabc2c2dfc39b3dd9c5b22ea91f995539a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c5d30d6aa83d99fba8dfdd9cf6c4e4e7a63244db
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race issue between cpu buffer write and swap\n\nWarning happened in rb_end_commit() at code:\n\tif (RB_WARN_ON(cpu_buffer, !local_read(\u0026cpu_buffer-\u003ecommitting)))\n\n  WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142\n\trb_commit+0x402/0x4a0\n  Call Trace:\n   ring_buffer_unlock_commit+0x42/0x250\n   trace_buffer_unlock_commit_regs+0x3b/0x250\n   trace_event_buffer_commit+0xe5/0x440\n   trace_event_buffer_reserve+0x11c/0x150\n   trace_event_raw_event_sched_switch+0x23c/0x2c0\n   __traceiter_sched_switch+0x59/0x80\n   __schedule+0x72b/0x1580\n   schedule+0x92/0x120\n   worker_thread+0xa0/0x6f0\n\nIt is because the race between writing event into cpu buffer and swapping\ncpu buffer through file per_cpu/cpu0/snapshot:\n\n  Write on CPU 0             Swap buffer by per_cpu/cpu0/snapshot on CPU 1\n  --------                   --------\n                             tracing_snapshot_write()\n                               [...]\n\n  ring_buffer_lock_reserve()\n    cpu_buffer = buffer-\u003ebuffers[cpu]; // 1. Suppose find \u0027cpu_buffer_a\u0027;\n    [...]\n    rb_reserve_next_event()\n      [...]\n\n                               ring_buffer_swap_cpu()\n                                 if (local_read(\u0026cpu_buffer_a-\u003ecommitting))\n                                     goto out_dec;\n                                 if (local_read(\u0026cpu_buffer_b-\u003ecommitting))\n                                     goto out_dec;\n                                 buffer_a-\u003ebuffers[cpu] = cpu_buffer_b;\n                                 buffer_b-\u003ebuffers[cpu] = cpu_buffer_a;\n                                 // 2. cpu_buffer has swapped here.\n\n      rb_start_commit(cpu_buffer);\n      if (unlikely(READ_ONCE(cpu_buffer-\u003ebuffer)\n          != buffer)) { // 3. This check passed due to \u0027cpu_buffer-\u003ebuffer\u0027\n        [...]           //    has not changed here.\n        return NULL;\n      }\n                                 cpu_buffer_b-\u003ebuffer = buffer_a;\n                                 cpu_buffer_a-\u003ebuffer = buffer_b;\n                                 [...]\n\n      // 4. Reserve event from \u0027cpu_buffer_a\u0027.\n\n  ring_buffer_unlock_commit()\n    [...]\n    cpu_buffer = buffer-\u003ebuffers[cpu]; // 5. Now find \u0027cpu_buffer_b\u0027 !!!\n    rb_commit(cpu_buffer)\n      rb_end_commit()  // 6. WARN for the wrong \u0027committing\u0027 state !!!\n\nBased on above analysis, we can easily reproduce by following testcase:\n  ``` bash\n  #!/bin/bash\n\n  dmesg -n 7\n  sysctl -w kernel.panic_on_warn=1\n  TR=/sys/kernel/tracing\n  echo 7 \u003e ${TR}/buffer_size_kb\n  echo \"sched:sched_switch\" \u003e ${TR}/set_event\n  while [ true ]; do\n          echo 1 \u003e ${TR}/per_cpu/cpu0/snapshot\n  done \u0026\n  while [ true ]; do\n          echo 1 \u003e ${TR}/per_cpu/cpu0/snapshot\n  done \u0026\n  while [ true ]; do\n          echo 1 \u003e ${TR}/per_cpu/cpu0/snapshot\n  done \u0026\n  ```\n\nTo fix it, IIUC, we can use smp_call_function_single() to do the swap on\nthe target cpu where the buffer is located, so that above race would be\navoided."
    }
  ],
  "id": "CVE-2023-53368",
  "lastModified": "2025-09-18T13:43:34.310",
  "metrics": {},
  "published": "2025-09-17T15:15:41.220",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3163f635b20e9e1fb4659e74f47918c9dddfe64e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/37ca1b686078b00cc4ffa008e2190615f7709b5d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6182318ac04648b46db9d441fd7d696337fcdd0b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/74c85396bd73eca80b96510b4edf93b9a3aff75f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/89c89da92a60028013f9539be0dcce7e44405a43"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/90e037cabc2c2dfc39b3dd9c5b22ea91f995539a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c5d30d6aa83d99fba8dfdd9cf6c4e4e7a63244db"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.