ghsa-2px5-v96w-8g69
Vulnerability from github
Published
2025-09-15 15:31
Modified
2025-09-15 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix memleak due to fentry attach failure

If it fails to attach fentry, the allocated bpf trampoline image will be left in the system. That can be verified by checking /proc/kallsyms.

This meamleak can be verified by a simple bpf program as follows:

SEC("fentry/trap_init") int fentry_run() { return 0; }

It will fail to attach trap_init because this function is freed after kernel init, and then we can find the trampoline image is left in the system by checking /proc/kallsyms.

$ tail /proc/kallsyms ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf] ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf]

$ bpftool btf dump file /sys/kernel/btf/vmlinux | grep "FUNC 'trap_init'" [2522] FUNC 'trap_init' type_id=119 linkage=static

$ echo $((6442453466 & 0x7fffffff)) 2522

Note that there are two left bpf trampoline images, that is because the libbpf will fallback to raw tracepoint if -EINVAL is returned.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53221"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:48Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memleak due to fentry attach failure\n\nIf it fails to attach fentry, the allocated bpf trampoline image will be\nleft in the system. That can be verified by checking /proc/kallsyms.\n\nThis meamleak can be verified by a simple bpf program as follows:\n\n  SEC(\"fentry/trap_init\")\n  int fentry_run()\n  {\n      return 0;\n  }\n\nIt will fail to attach trap_init because this function is freed after\nkernel init, and then we can find the trampoline image is left in the\nsystem by checking /proc/kallsyms.\n\n  $ tail /proc/kallsyms\n  ffffffffc0613000 t bpf_trampoline_6442453466_1  [bpf]\n  ffffffffc06c3000 t bpf_trampoline_6442453466_1  [bpf]\n\n  $ bpftool btf dump file /sys/kernel/btf/vmlinux | grep \"FUNC \u0027trap_init\u0027\"\n  [2522] FUNC \u0027trap_init\u0027 type_id=119 linkage=static\n\n  $ echo $((6442453466 \u0026 0x7fffffff))\n  2522\n\nNote that there are two left bpf trampoline images, that is because the\nlibbpf will fallback to raw tracepoint if -EINVAL is returned.",
  "id": "GHSA-2px5-v96w-8g69",
  "modified": "2025-09-15T15:31:29Z",
  "published": "2025-09-15T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53221"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/108598c39eefbedc9882273ac0df96127a629220"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/20109ddd5bea2c24d790debf5d02584ef24c3f5e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6aa27775db63ba8c7c73891c7dfb71ddc230c48d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f72c67d1a82dada7d6d504c806e111e913721a30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.