CVE-2023-53526

Summary

In the Linux kernel, the following vulnerability has been resolved:

jbd2: check 'jh->b_transaction' before removing it from checkpoint

Following process will corrupt ext4 image: Step 1: jbd2_journal_commit_transaction __jbd2_journal_insert_checkpoint(jh, commit_transaction) // Put jh into trans1->t_checkpoint_list journal->j_checkpoint_transactions = commit_transaction // Put trans1 into journal->j_checkpoint_transactions

Step 2: do_get_write_access test_clear_buffer_dirty(bh) // clear buffer dirty,set jbd dirty __jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2

Step 3: drop_cache journal_shrink_one_cp_list jbd2_journal_try_remove_checkpoint if (!trylock_buffer(bh)) // lock bh, true if (buffer_dirty(bh)) // buffer is not dirty __jbd2_journal_remove_checkpoint(jh) // remove jh from trans1->t_checkpoint_list

Step 4: jbd2_log_do_checkpoint trans1 = journal->j_checkpoint_transactions // jh is not in trans1->t_checkpoint_list jbd2_cleanup_journal_tail(journal) // trans1 is done

Step 5: Power cut, trans2 is not committed, jh is lost in next mounting.

Fix it by checking 'jh->b_transaction' before remove it from checkpoint.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxb832174b7f89df3ebab02f5b485d00127a0e1a6e < ef5fea70e5915afd64182d155e72bfb4f275e1fcaffected
LinuxLinuxe5c768d809a85e9efd0274b2efe69d4970cc0014 < dbafe636db415299e54d9dfefc1003bda9e71c9daffected
LinuxLinux46f881b5b1758dc4a35fba4a643c10717d0cf427 < 2298f2589903a8bc03061b54b31fd97985ab6529affected
LinuxLinux46f881b5b1758dc4a35fba4a643c10717d0cf427 < 590a809ff743e7bd890ba5fb36bc38e20a36de53affected
LinuxLinux019b59aeb2af6b47d5c8e69c5dc1d731c8df0354affected
LinuxLinux5.15.129 < 5.15.132affected
LinuxLinux6.1.50 < 6.1.54affected
LinuxLinux6.4.13 < 6.5affected
LinuxLinux6.5affected
LinuxLinux0 < 6.5unaffected
LinuxLinux5.15.132 <= 5.15.*unaffected
LinuxLinux6.1.54 <= 6.1.*unaffected
LinuxLinux6.5.4 <= 6.5.*unaffected
LinuxLinux6.6 <= *unaffected

Weaknesses

References