CVE-2023-53101
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: zero i_disksize when initializing the bootloader inode
If the boot loader inode has never been used before, the EXT4_IOC_SWAP_BOOT inode will initialize it, including setting the i_size to 0. However, if the "never before used" boot loader has a non-zero i_size, then i_disksize will be non-zero, and the inconsistency between i_size and i_disksize can trigger a kernel warning:
WARNING: CPU: 0 PID: 2580 at fs/ext4/file.c:319 CPU: 0 PID: 2580 Comm: bb Not tainted 6.3.0-rc1-00004-g703695902cfa RIP: 0010:ext4_file_write_iter+0xbc7/0xd10 Call Trace: vfs_write+0x3b1/0x5c0 ksys_write+0x77/0x160 __x64_sys_write+0x22/0x30 do_syscall_64+0x39/0x80
Reproducer:
- create corrupted image and mount it: mke2fs -t ext4 /tmp/foo.img 200 debugfs -wR "sif <5> size 25700" /tmp/foo.img mount -t ext4 /tmp/foo.img /mnt cd /mnt echo 123 > file
- Run the reproducer program: posix_memalign(&buf, 1024, 1024) fd = open("file", O_RDWR | O_DIRECT); ioctl(fd, EXT4_IOC_SWAP_BOOT); write(fd, buf, 1024);
Fix this by setting i_disksize as well as i_size to zero when initiaizing the boot loader inode.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 393d1d1d76933886d5e1ce603214c9987589c6d5 < d6c1447e483c05dbcfb3ff77ac04237a82070b8c | affected |
| Linux | Linux | 393d1d1d76933886d5e1ce603214c9987589c6d5 < 59eee0cdf8c036f554add97a4da7c06d7a9ff34a | affected |
| Linux | Linux | 393d1d1d76933886d5e1ce603214c9987589c6d5 < 0d8a6c9a6415999fee1259ccf1796480c026b7d6 | affected |
| Linux | Linux | 393d1d1d76933886d5e1ce603214c9987589c6d5 < 3f00c476da8fe7c4c34ea16abb55d74127120413 | affected |
| Linux | Linux | 393d1d1d76933886d5e1ce603214c9987589c6d5 < 01a821aacc64d4b05dafd239dbc9b7856686002f | affected |
| Linux | Linux | 393d1d1d76933886d5e1ce603214c9987589c6d5 < 9cb27b1e76f0cc886ac09055bc41c0ab3f205167 | affected |
| Linux | Linux | 393d1d1d76933886d5e1ce603214c9987589c6d5 < 9e9a4cc5486356158554f6ad73027d8635a48b34 | affected |
| Linux | Linux | 393d1d1d76933886d5e1ce603214c9987589c6d5 < f5361da1e60d54ec81346aee8e3d8baf1be0b762 | affected |
| Linux | Linux | 3.10 | affected |
| Linux | Linux | 0 < 3.10 | unaffected |
| Linux | Linux | 4.14.310 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.278 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.237 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.175 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.103 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.20 <= 6.1.* | unaffected |
| Linux | Linux | 6.2.7 <= 6.2.* | unaffected |
| Linux | Linux | 6.3 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/d6c1447e483c05dbcfb3ff77ac04237a82070b8c
- https://git.kernel.org/stable/c/59eee0cdf8c036f554add97a4da7c06d7a9ff34a
- https://git.kernel.org/stable/c/0d8a6c9a6415999fee1259ccf1796480c026b7d6
- https://git.kernel.org/stable/c/3f00c476da8fe7c4c34ea16abb55d74127120413
- https://git.kernel.org/stable/c/01a821aacc64d4b05dafd239dbc9b7856686002f
- https://git.kernel.org/stable/c/9cb27b1e76f0cc886ac09055bc41c0ab3f205167
- https://git.kernel.org/stable/c/9e9a4cc5486356158554f6ad73027d8635a48b34
- https://git.kernel.org/stable/c/f5361da1e60d54ec81346aee8e3d8baf1be0b762
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.