CVE-2026-23088

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix crash on synthetic stacktrace field usage

When creating a synthetic event based on an existing synthetic event that had a stacktrace field and the new synthetic event used that field a kernel crash occurred:

~# cd /sys/kernel/tracing ~# echo 's:stack unsigned long stack[];' > dynamicevents ~# echo 'hist:keys=prevpid:s0=commonstacktrace if prevstate & 3' >> events/sched/schedswitch/trigger ~# echo 'hist:keys=nextpid:s1=$s0:onmatch(sched.schedswitch).trace(stack,$s1)' >> events/sched/schedswitch/trigger

The above creates a synthetic event that takes a stacktrace when a task schedules out in a non-running state and passes that stacktrace to the sched_switch event when that task schedules back in. It triggers the "stack" synthetic event that has a stacktrace as its field (called "stack").

~# echo 's:syscallstack s64 id; unsigned long stack[];' >> dynamicevents ~# echo 'hist:keys=commonpid:s2=stack' >> events/synthetic/stack/trigger ~# echo 'hist:keys=commonpid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscallstack,$i0,$s3)' >> events/rawsyscalls/sys_exit/trigger

The above makes another synthetic event called "syscallstack" that attaches the first synthetic event (stack) to the sysexit trace event and records the stacktrace from the stack event with the id of the system call that is exiting.

When enabling this event (or using it in a historgram):

~# echo 1 > events/synthetic/syscall_stack/enable

Produces a kernel crash!

BUG: unable to handle page fault for address: 0000000000400010 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:traceeventrawevent_synth+0x90/0x380 Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f RSP: 0018:ffffd2670388f958 EFLAGS: 00010202 RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0 RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50 R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010 R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90 FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0 Call Trace: <TASK> ? __tracingmapinsert+0x208/0x3a0 actiontrace+0x67/0x70 eventhisttrigger+0x633/0x6d0 eventtriggerscall+0x82/0x130 traceeventbuffercommit+0x19d/0x250 traceeventraweventsysexit+0x62/0xb0 syscallexitwork+0x9d/0x140 dosyscall64+0x20a/0x2f0 ? traceeventraweventschedswitch+0x12b/0x170 ? savefpregstofpstate+0x3e/0x90 ? rawspinunlock+0xe/0x30 ? finishtaskswitch.isra.0+0x97/0x2c0 ? __rseqhandlenotify_resume+0xad/0x4c0 ? __schedule+0x4b8/0xd00 ? restorefpregsfromfpstate+0x3c/0x90 ? switchfpureturn+0x5b/0xe0 ? dosyscall64+0x1ef/0x2f0 ? dofault+0x2e9/0x540 ? _handlemmfault+0x7d1/0xf70 ? countmemcgevents+0x167/0x1d0 ? handlemmfault+0x1d7/0x2e0 ? douseraddrfault+0x2c3/0x7f0 entrySYSCALL64afterhwframe+0x76/0x7e

The reason is that the stacktrace field is not labeled as such, and is treated as a normal field and not as a dynamic event that it is.

In traceeventraweventsynth() the event is field is still treated as a dynamic array, but the retrieval of the data is considered a normal field, and the reference is just the meta data:

// Meta data is retrieved instead of a dynamic array ---truncated---