CVE-2023-53270

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix i_disksize exceeding i_size problem in paritally written case<br /> <br /> It is possible for i_disksize can exceed i_size, triggering a warning.<br /> <br /> generic_perform_write<br /> copied = iov_iter_copy_from_user_atomic(len) // copied i_disksize, newsize) // update i_disksize<br /> | generic_write_end<br /> | copied = block_write_end(copied, len) // copied = 0<br /> | if (unlikely(copied inode-&gt;i_size) // return false<br /> if (unlikely(copied == 0))<br /> goto again;<br /> if (unlikely(iov_iter_fault_in_readable(i, bytes))) {<br /> status = -EFAULT;<br /> break;<br /> }<br /> <br /> We get i_disksize greater than i_size here, which could trigger WARNING<br /> check &amp;#39;i_size_read(inode) i_disksize&amp;#39; while doing dio:<br /> <br /> ext4_dio_write_iter<br /> iomap_dio_rw<br /> __iomap_dio_rw // return err, length is not aligned to 512<br /> ext4_handle_inode_extension<br /> WARN_ON_ONCE(i_size_read(inode) i_disksize) // Oops<br /> <br /> WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319<br /> CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2<br /> RIP: 0010:ext4_file_write_iter+0xbc7<br /> Call Trace:<br /> vfs_write+0x3b1<br /> ksys_write+0x77<br /> do_syscall_64+0x39<br /> <br /> Fix it by updating &amp;#39;copied&amp;#39; value before updating i_disksize just like<br /> ext4_write_inline_data_end() does.<br /> <br /> A reproducer can be found in the buganizer link below.