Security Vulnerability Report
中文
CVE-2023-53634 CVSS 5.5 MEDIUM

CVE-2023-53634

Published: 2025-10-07 16:15:47
Last Modified: 2026-02-03 22:26:04
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fixed a BTI error on returning to patched function When BPF_TRAMP_F_CALL_ORIG is set, BPF trampoline uses BLR to jump back to the instruction next to call site to call the patched function. For BTI-enabled kernel, the instruction next to call site is usually PACIASP, in this case, it's safe to jump back with BLR. But when the call site is not followed by a PACIASP or bti, a BTI exception is triggered. Here is a fault log: Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI CPU: 0 PID: 263 Comm: test_progs Tainted: GF Hardware name: linux,dummy-virt (DT) pstate: 40400805 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c) pc : bpf_fentry_test1+0xc/0x30 lr : bpf_trampoline_6442573892_0+0x48/0x1000 sp : ffff80000c0c3a50 x29: ffff80000c0c3a90 x28: ffff0000c2e6c080 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000050 x23: 0000000000000000 x22: 0000ffffcfd2a7f0 x21: 000000000000000a x20: 0000ffffcfd2a7f0 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffcfd2a7f0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff80000914f5e4 x9 : ffff8000082a1528 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0101010101010101 x5 : 0000000000000000 x4 : 00000000fffffff2 x3 : 0000000000000001 x2 : ffff8001f4b82000 x1 : 0000000000000000 x0 : 0000000000000001 Kernel panic - not syncing: Unhandled exception CPU: 0 PID: 263 Comm: test_progs Tainted: GF Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0xec/0x144 show_stack+0x24/0x7c dump_stack_lvl+0x8c/0xb8 dump_stack+0x18/0x34 panic+0x1cc/0x3ec __el0_error_handler_common+0x0/0x130 el1h_64_sync_handler+0x60/0xd0 el1h_64_sync+0x78/0x7c bpf_fentry_test1+0xc/0x30 bpf_fentry_test1+0xc/0x30 bpf_prog_test_run_tracing+0xdc/0x2a0 __sys_bpf+0x438/0x22a0 __arm64_sys_bpf+0x30/0x54 invoke_syscall+0x78/0x110 el0_svc_common.constprop.0+0x6c/0x1d0 do_el0_svc+0x38/0xe0 el0_svc+0x30/0xd0 el0t_64_sync_handler+0x1ac/0x1b0 el0t_64_sync+0x1a0/0x1a4 Kernel Offset: disabled CPU features: 0x0000,00034c24,f994fdab Memory Limit: none And the instruction next to call site of bpf_fentry_test1 is ADD, not PACIASP: <bpf_fentry_test1>: bti c nop nop add w0, w0, #0x1 paciasp For BPF prog, JIT always puts a PACIASP after call site for BTI-enabled kernel, so there is no problem. To fix it, replace BLR with RET to bypass the branch target check.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.3:rc2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.3:rc3:*:*:*:*:*:* - VULNERABLE
Linux kernel < 738a96c4a8c36950803fdd27e7c30aca92dccefd (stable分支)
Linux kernel < 8b9c64942ada229f52fe6f1b537a50f88b3c2673 (stable分支)
Linux kernel < eabc166919d169e105263974991f52b0351e431a (stable分支)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2023-53634 // This PoC demonstrates how to trigger the BTI exception in Linux kernel BPF trampoline // on arm64 architecture when BPF_TRAMP_F_CALL_ORIG is used with a function whose // call site is not followed by PACIASP or BTI instruction. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/syscall.h> #include <linux/bpf.h> // Simplified BPF program to trigger the vulnerability // In real scenario, use libbpf to load a tracing/fentry BPF program // attached to a function whose call site is not followed by PACIASP int main() { // The vulnerability is triggered when: // 1. BPF_TRAMP_F_CALL_ORIG is set in trampoline // 2. The target function's call site is followed by ADD instruction // instead of PACIASP or BTI // // Example trigger: load a BPF fentry program on bpf_fentry_test1 // which has the following instruction sequence: // bpf_fentry_test1: // bti c // nop // nop // add w0, w0, #0x1 <-- not PACIASP, triggers BTI exception // paciasp // // When BPF trampoline uses BLR to jump to the ADD instruction, // BTI branch target check fails, causing kernel panic. printf("CVE-2023-53634 PoC\n"); printf("Load BPF fentry program on bpf_fentry_test1 to trigger BTI exception\n"); printf("Requires arm64 hardware with BTI enabled\n"); printf("Run: ./test_progs -t fentry\n"); // Use bpf() syscall to load and attach BPF program // The actual implementation requires libbpf and proper BPF program loading return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53634", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:46.523", "lastModified": "2026-02-03T22:26:04.397", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fixed a BTI error on returning to patched function\n\nWhen BPF_TRAMP_F_CALL_ORIG is set, BPF trampoline uses BLR to jump\nback to the instruction next to call site to call the patched function.\nFor BTI-enabled kernel, the instruction next to call site is usually\nPACIASP, in this case, it's safe to jump back with BLR. But when\nthe call site is not followed by a PACIASP or bti, a BTI exception\nis triggered.\n\nHere is a fault log:\n\n Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI\n CPU: 0 PID: 263 Comm: test_progs Tainted: GF\n Hardware name: linux,dummy-virt (DT)\n pstate: 40400805 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c)\n pc : bpf_fentry_test1+0xc/0x30\n lr : bpf_trampoline_6442573892_0+0x48/0x1000\n sp : ffff80000c0c3a50\n x29: ffff80000c0c3a90 x28: ffff0000c2e6c080 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000050\n x23: 0000000000000000 x22: 0000ffffcfd2a7f0 x21: 000000000000000a\n x20: 0000ffffcfd2a7f0 x19: 0000000000000000 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffcfd2a7f0\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: ffff80000914f5e4 x9 : ffff8000082a1528\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0101010101010101\n x5 : 0000000000000000 x4 : 00000000fffffff2 x3 : 0000000000000001\n x2 : ffff8001f4b82000 x1 : 0000000000000000 x0 : 0000000000000001\n Kernel panic - not syncing: Unhandled exception\n CPU: 0 PID: 263 Comm: test_progs Tainted: GF\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n dump_backtrace+0xec/0x144\n show_stack+0x24/0x7c\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n panic+0x1cc/0x3ec\n __el0_error_handler_common+0x0/0x130\n el1h_64_sync_handler+0x60/0xd0\n el1h_64_sync+0x78/0x7c\n bpf_fentry_test1+0xc/0x30\n bpf_fentry_test1+0xc/0x30\n bpf_prog_test_run_tracing+0xdc/0x2a0\n __sys_bpf+0x438/0x22a0\n __arm64_sys_bpf+0x30/0x54\n invoke_syscall+0x78/0x110\n el0_svc_common.constprop.0+0x6c/0x1d0\n do_el0_svc+0x38/0xe0\n el0_svc+0x30/0xd0\n el0t_64_sync_handler+0x1ac/0x1b0\n el0t_64_sync+0x1a0/0x1a4\n Kernel Offset: disabled\n CPU features: 0x0000,00034c24,f994fdab\n Memory Limit: none\n\nAnd the instruction next to call site of bpf_fentry_test1 is ADD,\nnot PACIASP:\n\n<bpf_fentry_test1>:\n\tbti c\n\tnop\n\tnop\n\tadd w0, w0, #0x1\n\tpaciasp\n\nFor BPF prog, JIT always puts a PACIASP after call site for BTI-enabled\nkernel, so there is no problem. To fix it, replace BLR with RET to bypass\nthe branch target check."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.25", "matchCriteriaId": "D2C90BB9-CA3C-4D97-9D92-C46FE5B9B2EC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.12", "matchCriteriaId": "4AA01E0B-227C-4686-AC91-BA30BCC48E6D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "B8E3B0E8-FA27-4305-87BB-AF6C25B160CB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "A47F0FC3-CE52-4BA1-BA51-22F783938431"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc3:*:*:*:*:*:*", "matchCriteriaId": "3583026A-27EC-4A4C-850A-83F2AF970673"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc4:*:*:*:*:*:*", "matchCriteriaId": "DC271202-7570-4505-89A4-D602D47BFD00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc5:*:*:*:*:*:*", "matchCriteriaId": "D413BB6D-4F74-4C7D-9163-47786619EF53"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc6:*:*:*:*:*:*", "matchCriteriaId": "F4D613FB-9976-4989-8C4A-567773373CEA"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/738a96c4a8c36950803fdd27e7c30 ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.