CVE-2023-54033

Vulnerability

Description

In the Linux kernel, a memory leak vulnerability exists in the BPF LRU (Least Recently Used) and LRU_PERCPU hash maps. When updating these maps, the kernel allocates a new element before locking the target hash table bucket. If the bucket lock acquisition fails (e.g., due to contention), the function returns -EBUSY to the caller without releasing the newly allocated element. This leaves the element untracked—it is not placed on any free list and is not inserted into the hash table, making it impossible to reuse or free. Over time, repeated failures accumulate leaked elements, eventually causing permanent -ENOMEM errors on subsequent map updates, which is unexpected behavior [1].

Exploitation and

Impact

An attacker with the ability to trigger concurrent BPF map updates (e.g., via crafted BPF programs or user-space interactions) could exploit this race condition. The attack requires no special privileges beyond the ability to use BPF, which is available to unprivileged users in some configurations. By causing frequent bucket lock contention, the attacker can exhaust kernel memory allocated for BPF map elements, leading to denial of service (DoS) through persistent -ENOMEM errors. The impact is limited to memory exhaustion within the BPF subsystem; however, it can disrupt legitimate BPF operations and potentially affect system stability if critical BPF-based functionality is impaired.

Mitigation

The fix, introduced in Linux kernel commit b34ffb0c6d23583830f9327864b9c1f486003305, addresses the issue by returning the allocated element to the local free list when bucket locking fails, preventing the leak [1]. Users should apply the latest stable kernel updates that include this patch. No workaround is available other than avoiding concurrent BPF map updates or restricting BPF access to privileged users.