| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100135-CVE-2023-53526-ee71@gregkh> Date: Wed, 1 Oct 2025 13:46:18 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53526: jbd2: check 'jh->b_transaction' before removing it from checkpoint From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: jbd2: check 'jh->b_transaction' before removing it from checkpoint Following process will corrupt ext4 image: Step 1: jbd2_journal_commit_transaction __jbd2_journal_insert_checkpoint(jh, commit_transaction) // Put jh into trans1->t_checkpoint_list journal->j_checkpoint_transactions = commit_transaction // Put trans1 into journal->j_checkpoint_transactions Step 2: do_get_write_access test_clear_buffer_dirty(bh) // clear buffer dirty,set jbd dirty __jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2 Step 3: drop_cache journal_shrink_one_cp_list jbd2_journal_try_remove_checkpoint if (!trylock_buffer(bh)) // lock bh, true if (buffer_dirty(bh)) // buffer is not dirty __jbd2_journal_remove_checkpoint(jh) // remove jh from trans1->t_checkpoint_list Step 4: jbd2_log_do_checkpoint trans1 = journal->j_checkpoint_transactions // jh is not in trans1->t_checkpoint_list jbd2_cleanup_journal_tail(journal) // trans1 is done Step 5: Power cut, trans2 is not committed, jh is lost in next mounting. Fix it by checking 'jh->b_transaction' before remove it from checkpoint. The Linux kernel CVE team has assigned CVE-2023-53526 to this issue. Affected and fixed versions =========================== Issue introduced in 5.15.129 with commit b832174b7f89df3ebab02f5b485d00127a0e1a6e and fixed in 5.15.132 with commit ef5fea70e5915afd64182d155e72bfb4f275e1fc Issue introduced in 6.1.50 with commit e5c768d809a85e9efd0274b2efe69d4970cc0014 and fixed in 6.1.54 with commit dbafe636db415299e54d9dfefc1003bda9e71c9d Issue introduced in 6.5 with commit 46f881b5b1758dc4a35fba4a643c10717d0cf427 and fixed in 6.5.4 with commit 2298f2589903a8bc03061b54b31fd97985ab6529 Issue introduced in 6.5 with commit 46f881b5b1758dc4a35fba4a643c10717d0cf427 and fixed in 6.6 with commit 590a809ff743e7bd890ba5fb36bc38e20a36de53 Issue introduced in 6.4.13 with commit 019b59aeb2af6b47d5c8e69c5dc1d731c8df0354 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53526 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/jbd2/checkpoint.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ef5fea70e5915afd64182d155e72bfb4f275e1fc https://git.kernel.org/stable/c/dbafe636db415299e54d9dfefc1003bda9e71c9d https://git.kernel.org/stable/c/2298f2589903a8bc03061b54b31fd97985ab6529 https://git.kernel.org/stable/c/590a809ff743e7bd890ba5fb36bc38e20a36de53
Powered by blists - more mailing lists