CVE-2023-52835 in Linux
Summary
by MITRE • 05/21/2024
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Bail out early if the request AUX area is out of bound
When perf-record with a large AUX area, e.g 4GB, it fails with:
#perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory)
and it reveals a WARNING with __alloc_pages():
------------[ cut here ]------------
WARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248 Call trace: __alloc_pages+0x1ec/0x248 __kmalloc_large_node+0xc0/0x1f8 __kmalloc_node+0x134/0x1e8 rb_alloc_aux+0xe0/0x298 perf_mmap+0x440/0x660 mmap_region+0x308/0x8a8 do_mmap+0x3c0/0x528 vm_mmap_pgoff+0xf4/0x1b8 ksys_mmap_pgoff+0x18c/0x218 __arm64_sys_mmap+0x38/0x58 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x58/0x188 do_el0_svc+0x34/0x50 el0_svc+0x34/0x108 el0t_64_sync_handler+0xb8/0xc0 el0t_64_sync+0x1a4/0x1a8
'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to maintains AUX trace pages. The allocated page for this array is physically contiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the size of pointer array crosses the limitation set by MAX_ORDER, it reveals a WARNING.
So bail out early with -ENOMEM if the request AUX area is out of bound, e.g.:
#perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory)
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/24/2025
The vulnerability described in CVE-2023-52835 affects the Linux kernel's performance monitoring subsystem, specifically within the perf core functionality. This issue manifests when attempting to record performance data with extremely large auxiliary trace areas, particularly on arm64 architectures. The flaw occurs during the memory allocation process for auxiliary trace buffers, where the system fails to properly validate the requested memory size before attempting allocation. The vulnerability is categorized under CWE-770, which deals with allocation of resources without limits or with inadequate limits, and aligns with ATT&CK technique T1490 for resource hijacking through memory exhaustion attacks.
The technical root cause lies in how the perf subsystem handles memory allocation for auxiliary trace pages through the rb_alloc_aux function. When a user requests an auxiliary area larger than what can be accommodated within the kernel's memory management constraints, the system attempts to allocate a pointer array using kcalloc() to maintain references to the auxiliary trace pages. This pointer array must remain physically and virtually contiguous, constrained by the kernel's MAX_ORDER limitation which determines the maximum order of contiguous pages that can be allocated. When the requested AUX area size exceeds this boundary, the kernel's memory allocator fails with a warning message indicating that __alloc_pages() cannot satisfy the allocation request.
The operational impact of this vulnerability is significant for performance monitoring and debugging operations on systems that rely heavily on hardware performance counters. When users attempt to capture large auxiliary trace data, typically used for detailed performance analysis in embedded systems or high-performance computing environments, the perf tool fails to initialize properly and returns an ENOMEM error. This failure prevents legitimate performance analysis operations from completing successfully, potentially disrupting system monitoring and debugging workflows. The vulnerability demonstrates a lack of proper input validation in the kernel's memory management subsystem, where the system does not adequately check boundary conditions before attempting potentially expensive memory allocation operations.
Mitigation strategies for this vulnerability involve implementing early validation checks within the perf subsystem to prevent attempts to allocate memory that exceeds kernel limitations. The fix, as implemented in the kernel, introduces an early bail-out mechanism that returns -ENOMEM when the requested AUX area size would exceed the maximum allocatable order. This approach prevents the system from attempting to allocate memory that would inevitably fail and provides a clear error message to users about the invalid configuration. System administrators should ensure their kernel versions include this patch and consider setting appropriate limits on auxiliary trace buffer sizes when configuring performance monitoring tools. Additionally, monitoring for performance monitoring tool failures and implementing proper error handling in automated monitoring scripts can help detect and respond to similar allocation issues in production environments.