CVE-2023-53655 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
rcu: Avoid stack overflow due to __rcu_irq_enter_check_tick() being kprobe-ed
Registering a kprobe on __rcu_irq_enter_check_tick() can cause kernel stack overflow as shown below. This issue can be reproduced by enabling CONFIG_NO_HZ_FULL and booting the kernel with argument "nohz_full=", and then giving the following commands at the shell prompt:
# cd /sys/kernel/tracing/ # echo 'p:mp1 __rcu_irq_enter_check_tick' >> kprobe_events # echo 1 > events/kprobes/enable
This commit therefore adds __rcu_irq_enter_check_tick() to the kprobes blacklist using NOKPROBE_SYMBOL().
Insufficient stack space to handle exception! ESR: 0x00000000f2000004 -- BRK (AArch64) FAR: 0x0000ffffccf3e510 Task stack: [0xffff80000ad30000..0xffff80000ad38000]
IRQ stack: [0xffff800008050000..0xffff800008058000]
Overflow stack: [0xffff089c36f9f310..0xffff089c36fa0310]
CPU: 5 PID: 190 Comm: bash Not tainted 6.2.0-rc2-00320-g1f5abbd77e2c #19 Hardware name: linux,dummy-virt (DT) pstate: 400003c5 (nZcv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __rcu_irq_enter_check_tick+0x0/0x1b8 lr : ct_nmi_enter+0x11c/0x138 sp : ffff80000ad30080 x29: ffff80000ad30080 x28: ffff089c82e20000 x27: 0000000000000000 x26: 0000000000000000 x25: ffff089c02a8d100 x24: 0000000000000000 x23: 00000000400003c5 x22: 0000ffffccf3e510 x21: ffff089c36fae148 x20: ffff80000ad30120 x19: ffffa8da8fcce148 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffffa8da8e44ea6c x14: ffffa8da8e44e968 x13: ffffa8da8e03136c x12: 1fffe113804d6809 x11: ffff6113804d6809 x10: 0000000000000a60 x9 : dfff800000000000 x8 : ffff089c026b404f x7 : 00009eec7fb297f7 x6 : 0000000000000001 x5 : ffff80000ad30120 x4 : dfff800000000000 x3 : ffffa8da8e3016f4 x2 : 0000000000000003 x1 : 0000000000000000 x0 : 0000000000000000 Kernel panic - not syncing: kernel stack overflow CPU: 5 PID: 190 Comm: bash Not tainted 6.2.0-rc2-00320-g1f5abbd77e2c #19 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0xf8/0x108 show_stack+0x20/0x30 dump_stack_lvl+0x68/0x84 dump_stack+0x1c/0x38 panic+0x214/0x404 add_taint+0x0/0xf8 panic_bad_stack+0x144/0x160 handle_bad_stack+0x38/0x58 __bad_stack+0x78/0x7c __rcu_irq_enter_check_tick+0x0/0x1b8 arm64_enter_el1_dbg.isra.0+0x14/0x20 el1_dbg+0x2c/0x90 el1h_64_sync_handler+0xcc/0xe8 el1h_64_sync+0x64/0x68 __rcu_irq_enter_check_tick+0x0/0x1b8 arm64_enter_el1_dbg.isra.0+0x14/0x20 el1_dbg+0x2c/0x90 el1h_64_sync_handler+0xcc/0xe8 el1h_64_sync+0x64/0x68 __rcu_irq_enter_check_tick+0x0/0x1b8 arm64_enter_el1_dbg.isra.0+0x14/0x20 el1_dbg+0x2c/0x90 el1h_64_sync_handler+0xcc/0xe8 el1h_64_sync+0x64/0x68 __rcu_irq_enter_check_tick+0x0/0x1b8 [...]
el1_dbg+0x2c/0x90 el1h_64_sync_handler+0xcc/0xe8 el1h_64_sync+0x64/0x68 __rcu_irq_enter_check_tick+0x0/0x1b8 arm64_enter_el1_dbg.isra.0+0x14/0x20 el1_dbg+0x2c/0x90 el1h_64_sync_handler+0xcc/0xe8 el1h_64_sync+0x64/0x68 __rcu_irq_enter_check_tick+0x0/0x1b8 arm64_enter_el1_dbg.isra.0+0x14/0x20 el1_dbg+0x2c/0x90 el1h_64_sync_handler+0xcc/0xe8 el1h_64_sync+0x64/0x68 __rcu_irq_enter_check_tick+0x0/0x1b8 el1_interrupt+0x28/0x60 el1h_64_irq_handler+0x18/0x28 el1h_64_irq+0x64/0x68 __ftrace_set_clr_event_nolock+0x98/0x198 __ftrace_set_clr_event+0x58/0x80 system_enable_write+0x144/0x178 vfs_write+0x174/0x738 ksys_write+0xd0/0x188 __arm64_sys_write+0x4c/0x60 invoke_syscall+0x64/0x180 el0_svc_common.constprop.0+0x84/0x160 do_el0_svc+0x48/0xe8 el0_svc+0x34/0xd0 el0t_64_sync_handler+0xb8/0xc0 el0t_64_sync+0x190/0x194 SMP: stopping secondary CPUs Kernel Offset: 0x28da86000000 from 0xffff800008000000 PHYS_OFFSET: 0xfffff76600000000 CPU features: 0x00000,01a00100,0000421b Memory Limit: none
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified as CVE-2023-53655 resides within the Linux kernel's RCU (Read-Copy-Update) subsystem, specifically affecting the function __rcu_irq_enter_check_tick(). This function is responsible for checking whether the tick is running in a no-hz full system and is integral to maintaining system stability under high interrupt loads. The flaw manifests when a kprobe is registered on this function, causing a kernel stack overflow due to recursive invocation patterns. The issue is particularly pronounced when the kernel is configured with CONFIG_NO_HZ_FULL and booted with the nohz_full= parameter, which disables the tick on specific CPUs to improve performance in latency-sensitive environments. The exploitation involves creating a kprobe event on the targeted function, which leads to an infinite loop of function calls that exhausts the kernel stack space allocated to the current task.
The technical root cause of this vulnerability lies in the absence of proper kprobe blacklisting for the __rcu_irq_enter_check_tick() function. This function is part of the kernel's RCU infrastructure and is called frequently during interrupt handling, especially in systems configured for no-hz full operation. When a kprobe is placed on this function, the kprobe mechanism itself triggers the function again, creating a recursive call stack that grows without bounds. The stack overflow occurs because the function's execution path includes multiple nested calls that are not properly protected from being intercepted by kprobes. The system's stack management is designed to handle normal execution paths, but kprobe interception creates an abnormal execution flow that leads to stack exhaustion.
The operational impact of this vulnerability is severe, as it can lead to immediate system crashes and kernel panics, effectively rendering the affected system unusable. The stack overflow results in a kernel panic with the message "kernel stack overflow" and a call trace showing repeated invocations of __rcu_irq_enter_check_tick(), indicating the recursive nature of the problem. This vulnerability affects systems running kernel versions where the fix has not been applied, particularly those configured for no-hz full operation and using kprobe-based debugging or monitoring tools. The attack vector is relatively straightforward, requiring only the ability to execute shell commands that enable kprobes on the targeted kernel function, making it accessible to attackers with basic system access. The vulnerability demonstrates how seemingly innocuous debugging mechanisms can interact catastrophically with core kernel subsystems.
The mitigation for this vulnerability involves adding the __rcu_irq_enter_check_tick() function to the kprobes blacklist using the NOKPROBE_SYMBOL() macro, as implemented in the kernel patch. This prevents kprobe registration on the function and eliminates the recursive call path that leads to stack overflow. System administrators should ensure their kernels are updated with the patched version that includes this fix. For systems that cannot be immediately updated, disabling kprobe functionality or avoiding registration of kprobes on critical kernel functions can serve as temporary mitigations. The fix aligns with the principle of least privilege in kernel design, ensuring that core system functions remain protected from external interception mechanisms that could compromise system stability. This vulnerability highlights the importance of careful consideration when implementing debugging tools and the need for comprehensive testing of interaction patterns between kernel subsystems. The issue is classified under CWE-770, which addresses insufficient resource management, and relates to ATT&CK technique T1059.006 for kernel-level command execution, demonstrating how legitimate kernel debugging capabilities can be abused to cause system instability. The vulnerability also reflects broader concerns about the interaction between kernel profiling tools and core system functions, emphasizing the need for robust protection mechanisms in kernel design.