lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025100451-CVE-2023-53564-e874@gregkh>
Date: Sat,  4 Oct 2025 17:17:18 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53564: ocfs2: fix defrag path triggering jbd2 ASSERT

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix defrag path triggering jbd2 ASSERT

code path:

ocfs2_ioctl_move_extents
 ocfs2_move_extents
  ocfs2_defrag_extent
   __ocfs2_move_extent
    + ocfs2_journal_access_di
    + ocfs2_split_extent  //sub-paths call jbd2_journal_restart
    + ocfs2_journal_dirty //crash by jbs2 ASSERT

crash stacks:

PID: 11297  TASK: ffff974a676dcd00  CPU: 67  COMMAND: "defragfs.ocfs2"
 #0 [ffffb25d8dad3900] machine_kexec at ffffffff8386fe01
 #1 [ffffb25d8dad3958] __crash_kexec at ffffffff8395959d
 #2 [ffffb25d8dad3a20] crash_kexec at ffffffff8395a45d
 #3 [ffffb25d8dad3a38] oops_end at ffffffff83836d3f
 #4 [ffffb25d8dad3a58] do_trap at ffffffff83833205
 #5 [ffffb25d8dad3aa0] do_invalid_op at ffffffff83833aa6
 #6 [ffffb25d8dad3ac0] invalid_op at ffffffff84200d18
    [exception RIP: jbd2_journal_dirty_metadata+0x2ba]
    RIP: ffffffffc09ca54a  RSP: ffffb25d8dad3b70  RFLAGS: 00010207
    RAX: 0000000000000000  RBX: ffff9706eedc5248  RCX: 0000000000000000
    RDX: 0000000000000001  RSI: ffff97337029ea28  RDI: ffff9706eedc5250
    RBP: ffff9703c3520200   R8: 000000000f46b0b2   R9: 0000000000000000
    R10: 0000000000000001  R11: 00000001000000fe  R12: ffff97337029ea28
    R13: 0000000000000000  R14: ffff9703de59bf60  R15: ffff9706eedc5250
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #7 [ffffb25d8dad3ba8] ocfs2_journal_dirty at ffffffffc137fb95 [ocfs2]
 #8 [ffffb25d8dad3be8] __ocfs2_move_extent at ffffffffc139a950 [ocfs2]
 #9 [ffffb25d8dad3c80] ocfs2_defrag_extent at ffffffffc139b2d2 [ocfs2]

Analysis

This bug has the same root cause of 'commit 7f27ec978b0e ("ocfs2: call
ocfs2_journal_access_di() before ocfs2_journal_dirty() in
ocfs2_write_end_nolock()")'.  For this bug, jbd2_journal_restart() is
called by ocfs2_split_extent() during defragmenting.

How to fix

For ocfs2_split_extent() can handle journal operations totally by itself. 
Caller doesn't need to call journal access/dirty pair, and caller only
needs to call journal start/stop pair.  The fix method is to remove
journal access/dirty from __ocfs2_move_extent().

The discussion for this patch:
https://oss.oracle.com/pipermail/ocfs2-devel/2023-February/000647.html

The Linux kernel CVE team has assigned CVE-2023-53564 to this issue.


Affected and fixed versions
===========================

	Fixed in 4.14.308 with commit 5f43d34a51ed30e6a60f7e59d224a63014fe2cd5
	Fixed in 4.19.276 with commit 7f3b1c28e2908755fb248d3ee8ff56826f2387db
	Fixed in 5.4.235 with commit 669134a66d37258e1c4a5cfbd5b82f547ae30fca
	Fixed in 5.10.173 with commit 2c559b3ba8e0b9e3c4bb08159a28ccadc698410f
	Fixed in 5.15.99 with commit 33665d1042666f2e5c736a3df1f453e31f030663
	Fixed in 6.1.16 with commit 8163ea90d89b7012dd1fa4b28edf5db0c641eca7
	Fixed in 6.2.3 with commit 590507ebabd33cd93324c04f9a5538309a5ba934
	Fixed in 6.3 with commit 60eed1e3d45045623e46944ebc7c42c30a4350f0

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53564
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/ocfs2/move_extents.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/5f43d34a51ed30e6a60f7e59d224a63014fe2cd5
	https://git.kernel.org/stable/c/7f3b1c28e2908755fb248d3ee8ff56826f2387db
	https://git.kernel.org/stable/c/669134a66d37258e1c4a5cfbd5b82f547ae30fca
	https://git.kernel.org/stable/c/2c559b3ba8e0b9e3c4bb08159a28ccadc698410f
	https://git.kernel.org/stable/c/33665d1042666f2e5c736a3df1f453e31f030663
	https://git.kernel.org/stable/c/8163ea90d89b7012dd1fa4b28edf5db0c641eca7
	https://git.kernel.org/stable/c/590507ebabd33cd93324c04f9a5538309a5ba934
	https://git.kernel.org/stable/c/60eed1e3d45045623e46944ebc7c42c30a4350f0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ