CVE-2023-53143
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/05/2025
Last modified:
10/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ext4: fix another off-by-one fsmap error on 1k block filesystems<br />
<br />
Apparently syzbot figured out that issuing this FSMAP call:<br />
<br />
struct fsmap_head cmd = {<br />
.fmh_count = ...;<br />
.fmh_keys = {<br />
{ .fmr_device = /* ext4 dev */, .fmr_physical = 0, },<br />
{ .fmr_device = /* ext4 dev */, .fmr_physical = 0, },<br />
},<br />
...<br />
};<br />
ret = ioctl(fd, FS_IOC_GETFSMAP, &cmd);<br />
<br />
Produces this crash if the underlying filesystem is a 1k-block ext4<br />
filesystem:<br />
<br />
kernel BUG at fs/ext4/ext4.h:3331!<br />
invalid opcode: 0000 [#1] PREEMPT SMP<br />
CPU: 3 PID: 3227965 Comm: xfs_io Tainted: G W O 6.2.0-rc8-achx<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014<br />
RIP: 0010:ext4_mb_load_buddy_gfp+0x47c/0x570 [ext4]<br />
RSP: 0018:ffffc90007c03998 EFLAGS: 00010246<br />
RAX: ffff888004978000 RBX: ffffc90007c03a20 RCX: ffff888041618000<br />
RDX: 0000000000000000 RSI: 00000000000005a4 RDI: ffffffffa0c99b11<br />
RBP: ffff888012330000 R08: ffffffffa0c2b7d0 R09: 0000000000000400<br />
R10: ffffc90007c03950 R11: 0000000000000000 R12: 0000000000000001<br />
R13: 00000000ffffffff R14: 0000000000000c40 R15: ffff88802678c398<br />
FS: 00007fdf2020c880(0000) GS:ffff88807e100000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007ffd318a5fe8 CR3: 000000007f80f001 CR4: 00000000001706e0<br />
Call Trace:<br />
<br />
ext4_mballoc_query_range+0x4b/0x210 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80]<br />
ext4_getfsmap_datadev+0x713/0x890 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80]<br />
ext4_getfsmap+0x2b7/0x330 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80]<br />
ext4_ioc_getfsmap+0x153/0x2b0 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80]<br />
__ext4_ioctl+0x2a7/0x17e0 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80]<br />
__x64_sys_ioctl+0x82/0xa0<br />
do_syscall_64+0x2b/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
RIP: 0033:0x7fdf20558aff<br />
RSP: 002b:00007ffd318a9e30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br />
RAX: ffffffffffffffda RBX: 00000000000200c0 RCX: 00007fdf20558aff<br />
RDX: 00007fdf1feb2010 RSI: 00000000c0c0583b RDI: 0000000000000003<br />
RBP: 00005625c0634be0 R08: 00005625c0634c40 R09: 0000000000000001<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdf1feb2010<br />
R13: 00005625be70d994 R14: 0000000000000800 R15: 0000000000000000<br />
<br />
For GETFSMAP calls, the caller selects a physical block device by<br />
writing its block number into fsmap_head.fmh_keys[01].fmr_device.<br />
To query mappings for a subrange of the device, the starting byte of the<br />
range is written to fsmap_head.fmh_keys[0].fmr_physical and the last<br />
byte of the range goes in fsmap_head.fmh_keys[1].fmr_physical.<br />
<br />
IOWs, to query what mappings overlap with bytes 3-14 of /dev/sda, you&#39;d<br />
set the inputs as follows:<br />
<br />
fmh_keys[0] = { .fmr_device = major(8, 0), .fmr_physical = 3},<br />
fmh_keys[1] = { .fmr_device = major(8, 0), .fmr_physical = 14},<br />
<br />
Which would return you whatever is mapped in the 12 bytes starting at<br />
physical offset 3.<br />
<br />
The crash is due to insufficient range validation of keys[1] in<br />
ext4_getfsmap_datadev. On 1k-block filesystems, block 0 is not part of<br />
the filesystem, which means that s_first_data_block is nonzero.<br />
ext4_get_group_no_and_offset subtracts this quantity from the blocknr<br />
argument before cracking it into a group number and a block number<br />
within a group. IOWs, block group 0 spans blocks 1-8192 (1-based)<br />
instead of 0-8191 (0-based) like what happens with larger blocksizes.<br />
<br />
The net result of this encoding is that blocknr s_first_data_block);<br />
<br />
The division then operates on -1:<br />
<br />
offset = do_div(blocknr, EXT4_BLOCKS_PER_GROUP(sb)) >><br />
EXT4_SB(sb)->s_cluster_bits;<br />
<br />
Leaving an impossibly large group number (2^32-1) in blocknr.<br />
ext4_getfsmap_check_keys checked that keys[0<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.13 (including) | 4.14.310 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.278 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.237 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.175 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.103 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.20 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.2.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/15ebade3266b300da9cd1edce4004fe8fd6a2b88
- https://git.kernel.org/stable/c/1d2366624b4c19a2ba6baf67fe57f4a1b0f67c05
- https://git.kernel.org/stable/c/a70b49dc7eee5dbe3775a650ce598e3557ff5475
- https://git.kernel.org/stable/c/c24f838493792b5e78a3596b4ca96375aa0af4c2
- https://git.kernel.org/stable/c/c5d7c31e17224d847a330180ec1b03bf390632b2
- https://git.kernel.org/stable/c/c993799baf9c5861f8df91beb80e1611b12efcbd
- https://git.kernel.org/stable/c/eb3a695aa71a514f2e7f5778e05faba3733b70a0
- https://git.kernel.org/stable/c/f16054ac1774915160ca4e1c73ff7a269465a1b9