CVE-2023-54086
Unknown Unknown - Not Provided
Stack Overflow Vulnerability in Linux Kernel BPF Trampoline Functions

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Add preempt_count_{sub,add} into btf id deny list The recursion check in __bpf_prog_enter* and __bpf_prog_exit* leave preempt_count_{sub,add} unprotected. When attaching trampoline to them we get panic as follows, [ 867.843050] BUG: TASK stack guard page was hit at 0000000009d325cf (stack is 0000000046a46a15..00000000537e7b28) [ 867.843064] stack guard page: 0000 [#1] PREEMPT SMP NOPTI [ 867.843067] CPU: 8 PID: 11009 Comm: trace Kdump: loaded Not tainted 6.2.0+ #4 [ 867.843100] Call Trace: [ 867.843101] <TASK> [ 867.843104] asm_exc_int3+0x3a/0x40 [ 867.843108] RIP: 0010:preempt_count_sub+0x1/0xa0 [ 867.843135] __bpf_prog_enter_recur+0x17/0x90 [ 867.843148] bpf_trampoline_6442468108_0+0x2e/0x1000 [ 867.843154] ? preempt_count_sub+0x1/0xa0 [ 867.843157] preempt_count_sub+0x5/0xa0 [ 867.843159] ? migrate_enable+0xac/0xf0 [ 867.843164] __bpf_prog_exit_recur+0x2d/0x40 [ 867.843168] bpf_trampoline_6442468108_0+0x55/0x1000 ... [ 867.843788] preempt_count_sub+0x5/0xa0 [ 867.843793] ? migrate_enable+0xac/0xf0 [ 867.843829] __bpf_prog_exit_recur+0x2d/0x40 [ 867.843837] BUG: IRQ stack guard page was hit at 0000000099bd8228 (stack is 00000000b23e2bc4..000000006d95af35) [ 867.843841] BUG: IRQ stack guard page was hit at 000000005ae07924 (stack is 00000000ffd69623..0000000014eb594c) [ 867.843843] BUG: IRQ stack guard page was hit at 00000000028320f0 (stack is 00000000034b6438..0000000078d1bcec) [ 867.843842] bpf_trampoline_6442468108_0+0x55/0x1000 ... That is because in __bpf_prog_exit_recur, the preempt_count_{sub,add} are called after prog->active is decreased. Fixing this by adding these two functions into btf ids deny list.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2023-54086
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves the BPF (Berkeley Packet Filter) subsystem where the recursion check in __bpf_prog_enter* and __bpf_prog_exit* functions leaves preempt_count_sub and preempt_count_add unprotected. When a trampoline is attached to these functions, it causes a kernel panic due to stack guard page violations. The root cause is that in __bpf_prog_exit_recur, preempt_count_sub and preempt_count_add are called after the program's active count is decreased, leading to unsafe recursion. The fix was to add these two functions to the BTF (BPF Type Format) IDs deny list to prevent attaching trampolines to them.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to panic and crash when certain BPF trampolines are attached to the preempt_count_sub and preempt_count_add functions. This can lead to system instability, unexpected reboots, and potential denial of service conditions on affected systems.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the system logs for kernel panic messages related to bpf trampoline and preempt_count_sub/add functions. Look for messages similar to 'BUG: TASK stack guard page was hit' or 'BUG: IRQ stack guard page was hit' with call traces involving preempt_count_sub, __bpf_prog_enter_recur, and bpf_trampoline. You can use commands like 'dmesg | grep -i "BUG:.*stack guard page"' or 'journalctl -k | grep -i "bpf_trampoline"' to find such kernel panic logs.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation is to update the Linux kernel to a version where this vulnerability is fixed by adding preempt_count_sub and preempt_count_add into the BTF id deny list, preventing the panic caused by attaching trampolines to these functions. Until an update is applied, avoid attaching BPF trampolines to preempt_count_sub and preempt_count_add functions.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart