GHSA-GPG2-67WM-X4HF

Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2025-10-22 15:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

ring-buffer: Do not swap cpu_buffer during resize process

When ring_buffer_swap_cpu was called during resize process, the cpu buffer was swapped in the middle, resulting in incorrect state. Continuing to run in the wrong state will result in oops.

This issue can be easily reproduced using the following two scripts: /tmp # cat test1.sh //#! /bin/sh for i in seq 0 100000 do echo 2000 > /sys/kernel/debug/tracing/buffer_size_kb sleep 0.5 echo 5000 > /sys/kernel/debug/tracing/buffer_size_kb sleep 0.5 done /tmp # cat test2.sh //#! /bin/sh for i in seq 0 100000 do echo irqsoff > /sys/kernel/debug/tracing/current_tracer sleep 1 echo nop > /sys/kernel/debug/tracing/current_tracer sleep 1 done /tmp # ./test1.sh & /tmp # ./test2.sh &

A typical oops log is as follows, sometimes with other different oops logs.

[ 231.711293] WARNING: CPU: 0 PID: 9 at kernel/trace/ring_buffer.c:2026 rb_update_pages+0x378/0x3f8 [ 231.713375] Modules linked in: [ 231.714735] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15 [ 231.716750] Hardware name: linux,dummy-virt (DT) [ 231.718152] Workqueue: events update_pages_handler [ 231.719714] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 231.721171] pc : rb_update_pages+0x378/0x3f8 [ 231.722212] lr : rb_update_pages+0x25c/0x3f8 [ 231.723248] sp : ffff800082b9bd50 [ 231.724169] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 0000000000000000 [ 231.726102] x26: 0000000000000001 x25: fffffffffffff010 x24: 0000000000000ff0 [ 231.728122] x23: ffff0000c3a0b600 x22: ffff0000c3a0b5c0 x21: fffffffffffffe0a [ 231.730203] x20: ffff0000c3a0b600 x19: ffff0000c0102400 x18: 0000000000000000 [ 231.732329] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe7aa8510 [ 231.734212] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000002 [ 231.736291] x11: ffff8000826998a8 x10: ffff800082b9baf0 x9 : ffff800081137558 [ 231.738195] x8 : fffffc00030e82c8 x7 : 0000000000000000 x6 : 0000000000000001 [ 231.740192] x5 : ffff0000ffbafe00 x4 : 0000000000000000 x3 : 0000000000000000 [ 231.742118] x2 : 00000000000006aa x1 : 0000000000000001 x0 : ffff0000c0007208 [ 231.744196] Call trace: [ 231.744892] rb_update_pages+0x378/0x3f8 [ 231.745893] update_pages_handler+0x1c/0x38 [ 231.746893] process_one_work+0x1f0/0x468 [ 231.747852] worker_thread+0x54/0x410 [ 231.748737] kthread+0x124/0x138 [ 231.749549] ret_from_fork+0x10/0x20 [ 231.750434] ---[ end trace 0000000000000000 ]--- [ 233.720486] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 233.721696] Mem abort info: [ 233.721935] ESR = 0x0000000096000004 [ 233.722283] EC = 0x25: DABT (current EL), IL = 32 bits [ 233.722596] SET = 0, FnV = 0 [ 233.722805] EA = 0, S1PTW = 0 [ 233.723026] FSC = 0x04: level 0 translation fault [ 233.723458] Data abort info: [ 233.723734] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 233.724176] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 233.724589] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 233.725075] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000104943000 [ 233.725592] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 233.726231] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 233.726720] Modules linked in: [ 233.727007] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15 [ 233.727777] Hardware name: linux,dummy-virt (DT) [ 233.728225] Workqueue: events update_pages_handler [ 233.728655] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 233.729054] pc : rb_update_pages+0x1a8/0x3f8 [ 233.729334] lr : rb_update_pages+0x154/0x3f8 [ 233.729592] sp : ffff800082b9bd50 [ 233.729792] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 00000000 ---truncated---

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53718"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T14:15:46Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not swap cpu_buffer during resize process\n\nWhen ring_buffer_swap_cpu was called during resize process,\nthe cpu buffer was swapped in the middle, resulting in incorrect state.\nContinuing to run in the wrong state will result in oops.\n\nThis issue can be easily reproduced using the following two scripts:\n/tmp # cat test1.sh\n//#! /bin/sh\nfor i in `seq 0 100000`\ndo\n         echo 2000 \u003e /sys/kernel/debug/tracing/buffer_size_kb\n         sleep 0.5\n         echo 5000 \u003e /sys/kernel/debug/tracing/buffer_size_kb\n         sleep 0.5\ndone\n/tmp # cat test2.sh\n//#! /bin/sh\nfor i in `seq 0 100000`\ndo\n        echo irqsoff \u003e /sys/kernel/debug/tracing/current_tracer\n        sleep 1\n        echo nop \u003e /sys/kernel/debug/tracing/current_tracer\n        sleep 1\ndone\n/tmp # ./test1.sh \u0026\n/tmp # ./test2.sh \u0026\n\nA typical oops log is as follows, sometimes with other different oops logs.\n\n[  231.711293] WARNING: CPU: 0 PID: 9 at kernel/trace/ring_buffer.c:2026 rb_update_pages+0x378/0x3f8\n[  231.713375] Modules linked in:\n[  231.714735] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G        W          6.5.0-rc1-00276-g20edcec23f92 #15\n[  231.716750] Hardware name: linux,dummy-virt (DT)\n[  231.718152] Workqueue: events update_pages_handler\n[  231.719714] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  231.721171] pc : rb_update_pages+0x378/0x3f8\n[  231.722212] lr : rb_update_pages+0x25c/0x3f8\n[  231.723248] sp : ffff800082b9bd50\n[  231.724169] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 0000000000000000\n[  231.726102] x26: 0000000000000001 x25: fffffffffffff010 x24: 0000000000000ff0\n[  231.728122] x23: ffff0000c3a0b600 x22: ffff0000c3a0b5c0 x21: fffffffffffffe0a\n[  231.730203] x20: ffff0000c3a0b600 x19: ffff0000c0102400 x18: 0000000000000000\n[  231.732329] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe7aa8510\n[  231.734212] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000002\n[  231.736291] x11: ffff8000826998a8 x10: ffff800082b9baf0 x9 : ffff800081137558\n[  231.738195] x8 : fffffc00030e82c8 x7 : 0000000000000000 x6 : 0000000000000001\n[  231.740192] x5 : ffff0000ffbafe00 x4 : 0000000000000000 x3 : 0000000000000000\n[  231.742118] x2 : 00000000000006aa x1 : 0000000000000001 x0 : ffff0000c0007208\n[  231.744196] Call trace:\n[  231.744892]  rb_update_pages+0x378/0x3f8\n[  231.745893]  update_pages_handler+0x1c/0x38\n[  231.746893]  process_one_work+0x1f0/0x468\n[  231.747852]  worker_thread+0x54/0x410\n[  231.748737]  kthread+0x124/0x138\n[  231.749549]  ret_from_fork+0x10/0x20\n[  231.750434] ---[ end trace 0000000000000000 ]---\n[  233.720486] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[  233.721696] Mem abort info:\n[  233.721935]   ESR = 0x0000000096000004\n[  233.722283]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  233.722596]   SET = 0, FnV = 0\n[  233.722805]   EA = 0, S1PTW = 0\n[  233.723026]   FSC = 0x04: level 0 translation fault\n[  233.723458] Data abort info:\n[  233.723734]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[  233.724176]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  233.724589]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  233.725075] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000104943000\n[  233.725592] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[  233.726231] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[  233.726720] Modules linked in:\n[  233.727007] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G        W          6.5.0-rc1-00276-g20edcec23f92 #15\n[  233.727777] Hardware name: linux,dummy-virt (DT)\n[  233.728225] Workqueue: events update_pages_handler\n[  233.728655] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  233.729054] pc : rb_update_pages+0x1a8/0x3f8\n[  233.729334] lr : rb_update_pages+0x154/0x3f8\n[  233.729592] sp : ffff800082b9bd50\n[  233.729792] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 00000000\n---truncated---",
  "id": "GHSA-gpg2-67wm-x4hf",
  "modified": "2025-10-22T15:31:11Z",
  "published": "2025-10-22T15:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53718"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/02e52d7daaa3f0f48819f198092cf4871065bbf7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/128c06a34cfe55212632533a706b050d54552741"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49b830d75f03d5dd41146d10e4d3e2a8211c4b94"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66a3b2a121386702663065d5c9e5a33c03d3f4a2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a96c0288d0737ad77882024974c075345c72011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.