| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091603-CVE-2023-53270-4af2@gregkh>
Date: Tue, 16 Sep 2025 10:07:08 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53270: ext4: fix i_disksize exceeding i_size problem in paritally written case
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix i_disksize exceeding i_size problem in paritally written case
It is possible for i_disksize can exceed i_size, triggering a warning.
generic_perform_write
copied = iov_iter_copy_from_user_atomic(len) // copied < len
ext4_da_write_end
| ext4_update_i_disksize
| new_i_size = pos + copied;
| WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize
| generic_write_end
| copied = block_write_end(copied, len) // copied = 0
| if (unlikely(copied < len))
| if (!PageUptodate(page))
| copied = 0;
| if (pos + copied > inode->i_size) // return false
if (unlikely(copied == 0))
goto again;
if (unlikely(iov_iter_fault_in_readable(i, bytes))) {
status = -EFAULT;
break;
}
We get i_disksize greater than i_size here, which could trigger WARNING
check 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio:
ext4_dio_write_iter
iomap_dio_rw
__iomap_dio_rw // return err, length is not aligned to 512
ext4_handle_inode_extension
WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops
WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319
CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2
RIP: 0010:ext4_file_write_iter+0xbc7
Call Trace:
vfs_write+0x3b1
ksys_write+0x77
do_syscall_64+0x39
Fix it by updating 'copied' value before updating i_disksize just like
ext4_write_inline_data_end() does.
A reproducer can be found in the buganizer link below.
The Linux kernel CVE team has assigned CVE-2023-53270 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.27 with commit 64769240bd07f446f83660bb143bb609d8ab4910 and fixed in 5.15.111 with commit 18eb23891aeae3229baf8c7c23b76be3364e1967
Issue introduced in 2.6.27 with commit 64769240bd07f446f83660bb143bb609d8ab4910 and fixed in 6.1.28 with commit d30090eb546d993ea3f3023452540c476ea614a5
Issue introduced in 2.6.27 with commit 64769240bd07f446f83660bb143bb609d8ab4910 and fixed in 6.2.15 with commit 3ecea2fee14227712694c8b54ad99d471e61de92
Issue introduced in 2.6.27 with commit 64769240bd07f446f83660bb143bb609d8ab4910 and fixed in 6.3.2 with commit 53877ed201baa6b58f7ce9df92664a839113c30e
Issue introduced in 2.6.27 with commit 64769240bd07f446f83660bb143bb609d8ab4910 and fixed in 6.4 with commit 1dedde690303c05ef732b7c5c8356fdf60a4ade3
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-53270
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/ext4/inode.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/18eb23891aeae3229baf8c7c23b76be3364e1967
https://git.kernel.org/stable/c/d30090eb546d993ea3f3023452540c476ea614a5
https://git.kernel.org/stable/c/3ecea2fee14227712694c8b54ad99d471e61de92
https://git.kernel.org/stable/c/53877ed201baa6b58f7ce9df92664a839113c30e
https://git.kernel.org/stable/c/1dedde690303c05ef732b7c5c8356fdf60a4ade3
Powered by blists - more mailing lists