CVE-2023-53100

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix WARNING in ext4_update_inline_data<br /> <br /> Syzbot found the following issue:<br /> EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.<br /> fscrypt: AES-256-CTS-CBC using implementation "cts-cbc-aes-aesni"<br /> fscrypt: AES-256-XTS using implementation "xts-aes-aesni"<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 5071 at mm/page_alloc.c:5525 __alloc_pages+0x30a/0x560 mm/page_alloc.c:5525<br /> Modules linked in:<br /> CPU: 1 PID: 5071 Comm: syz-executor263 Not tainted 6.2.0-rc1-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022<br /> RIP: 0010:__alloc_pages+0x30a/0x560 mm/page_alloc.c:5525<br /> RSP: 0018:ffffc90003c2f1c0 EFLAGS: 00010246<br /> RAX: ffffc90003c2f220 RBX: 0000000000000014 RCX: 0000000000000000<br /> RDX: 0000000000000028 RSI: 0000000000000000 RDI: ffffc90003c2f248<br /> RBP: ffffc90003c2f2d8 R08: dffffc0000000000 R09: ffffc90003c2f220<br /> R10: fffff52000785e49 R11: 1ffff92000785e44 R12: 0000000000040d40<br /> R13: 1ffff92000785e40 R14: dffffc0000000000 R15: 1ffff92000785e3c<br /> FS: 0000555556c0d300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f95d5e04138 CR3: 00000000793aa000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __alloc_pages_node include/linux/gfp.h:237 [inline]<br /> alloc_pages_node include/linux/gfp.h:260 [inline]<br /> __kmalloc_large_node+0x95/0x1e0 mm/slab_common.c:1113<br /> __do_kmalloc_node mm/slab_common.c:956 [inline]<br /> __kmalloc+0xfe/0x190 mm/slab_common.c:981<br /> kmalloc include/linux/slab.h:584 [inline]<br /> kzalloc include/linux/slab.h:720 [inline]<br /> ext4_update_inline_data+0x236/0x6b0 fs/ext4/inline.c:346<br /> ext4_update_inline_dir fs/ext4/inline.c:1115 [inline]<br /> ext4_try_add_inline_entry+0x328/0x990 fs/ext4/inline.c:1307<br /> ext4_add_entry+0x5a4/0xeb0 fs/ext4/namei.c:2385<br /> ext4_add_nondir+0x96/0x260 fs/ext4/namei.c:2772<br /> ext4_create+0x36c/0x560 fs/ext4/namei.c:2817<br /> lookup_open fs/namei.c:3413 [inline]<br /> open_last_lookups fs/namei.c:3481 [inline]<br /> path_openat+0x12ac/0x2dd0 fs/namei.c:3711<br /> do_filp_open+0x264/0x4f0 fs/namei.c:3741<br /> do_sys_openat2+0x124/0x4e0 fs/open.c:1310<br /> do_sys_open fs/open.c:1326 [inline]<br /> __do_sys_openat fs/open.c:1342 [inline]<br /> __se_sys_openat fs/open.c:1337 [inline]<br /> __x64_sys_openat+0x243/0x290 fs/open.c:1337<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Above issue happens as follows:<br /> ext4_iget<br /> ext4_find_inline_data_nolock -&gt;i_inline_off=164 i_inline_size=60<br /> ext4_try_add_inline_entry<br /> __ext4_mark_inode_dirty<br /> ext4_expand_extra_isize_ea -&gt;i_extra_isize=32 s_want_extra_isize=44<br /> ext4_xattr_shift_entries<br /> -&gt;after shift i_inline_off is incorrect, actually is change to 176<br /> ext4_try_add_inline_entry<br /> ext4_update_inline_dir<br /> get_max_inline_xattr_value_size<br /> if (EXT4_I(inode)-&gt;i_inline_off)<br /> entry = (struct ext4_xattr_entry *)((void *)raw_inode +<br /> EXT4_I(inode)-&gt;i_inline_off);<br /> free += EXT4_XATTR_SIZE(le32_to_cpu(entry-&gt;e_value_size));<br /> -&gt;As entry is incorrect, then &amp;#39;free&amp;#39; may be negative<br /> ext4_update_inline_data<br /> value = kzalloc(len, GFP_NOFS);<br /> -&gt; len is unsigned int, maybe very large, then trigger warning when<br /> &amp;#39;kzalloc()&amp;#39;<br /> <br /> To resolve the above issue we need to update &amp;#39;i_inline_off&amp;#39; after<br /> &amp;#39;ext4_xattr_shift_entries()&amp;#39;. We do not need to set<br /> EXT4_STATE_MAY_INLINE_DATA flag here, since ext4_mark_inode_dirty()<br /> already sets this flag if needed. Setting EXT4_STATE_MAY_INLINE_DATA<br /> when it is needed may trigger a BUG_ON in ext4_writepages().