CVE-2023-54247
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Silence a warning in btf_type_id_size()
syzbot reported a warning in [1] with the following stacktrace: WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... Call Trace:
map_check_btf kernel/bpf/syscall.c:1024 [inline] map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198 __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040 __do_sys_bpf kernel/bpf/syscall.c:5162 [inline] __se_sys_bpf kernel/bpf/syscall.c:5160 [inline] __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
With the following btf [1] DECL_TAG 'a' type_id=4 component_idx=-1 [2] PTR '(anon)' type_id=0 [3] TYPE_TAG 'a' type_id=2 [4] VAR 'a' type_id=3, linkage=static and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG), the following WARN_ON_ONCE in btf_type_id_size() is triggered: if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) && !btf_type_is_var(size_type))) return NULL;
Note that 'return NULL' is the correct behavior as we don't want a DECL_TAG type to be used as a btf_{key,value}_type_id even for the case like 'DECL_TAG -> STRUCT'. So there is no correctness issue here, we just want to silence warning.
To silence the warning, I added DECL_TAG as one of kinds in btf_type_nosize() which will cause btf_type_id_size() returning NULL earlier without the warning.
[1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted BPF Type Format (BTF) input with a DECL_TAG type can trigger a WARN_ON_ONCE in btf_type_id_size(), causing a kernel warning but no memory corruption.
In the Linux kernel's BPF subsystem, the function btf_type_id_size() in kernel/bpf/btf.c can be made to trigger a WARN_ON_ONCE when processing a BTF that includes a DECL_TAG type as a key or value type ID [1]. The warning is meant to catch unexpected type kinds, but DECL_TAG is valid in other contexts, leading to a false positive warning.
An attacker with the ability to create BPF maps (requires CAP_BPF or root) can craft a BTF with a DECL_TAG type referenced as btf_key_type_id or btf_value_type_id. This triggers the warning in btf_type_id_size(). No special privileges beyond BPF map creation are needed.
The primary impact is a kernel warning message, which may be considered a denial of service if the system is configured to panic on warnings (panic_on_warn). Under default settings, it only logs a warning without crashing the system. No memory corruption or privilege escalation occurs.
The issue was fixed by adding DECL_TAG to the btf_type_nosize() list, causing btf_type_id_size() to return NULL early without triggering the warning [1]. The fix was included in kernel stable updates.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
361f4bd46a03a7c4f5ab63e79e6c2f594ed96Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.