CVE-2023-53172

Summary

In the Linux kernel, the following vulnerability has been resolved:

fsverity: reject FS_IOC_ENABLE_VERITY on mode 3 fds

Commit 56124d6c87fd ("fsverity: support enabling with tree block size < PAGE_SIZE") changed FS_IOC_ENABLE_VERITY to use __kernel_read() to read the file's data, instead of direct pagecache accesses.

An unintended consequence of this is that the 'WARN_ON_ONCE(!(file->f_mode & FMODE_READ))' in __kernel_read() became reachable by fuzz tests. This happens if FS_IOC_ENABLE_VERITY is called on a fd opened with access mode 3, which means "ioctl access only".

Arguably, FS_IOC_ENABLE_VERITY should work on ioctl-only fds. But ioctl-only fds are a weird Linux extension that is rarely used and that few people even know about. (The documentation for FS_IOC_ENABLE_VERITY even specifically says it requires O_RDONLY.) It's probably not worthwhile to make the ioctl internally open a new fd just to handle this case. Thus, just reject the ioctl on such fds for now.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux56124d6c87fd749477425110d2564166621a89c4 < 85c039cff3c359967cafe90443c02321e950b216affected
LinuxLinux56124d6c87fd749477425110d2564166621a89c4 < 04839139213cf60d4c5fc792214a08830e294ff8affected
LinuxLinux6.3affected
LinuxLinux0 < 6.3unaffected
LinuxLinux6.3.1 <= 6.3.*unaffected
LinuxLinux6.4 <= *unaffected

Weaknesses

References