CVE-2023-54069

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow<br /> <br /> When we calculate the end position of ext4_free_extent, this position may<br /> be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if<br /> ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the<br /> computed end is 0x100000000, which is 0. If ac-&gt;ac_o_ex.fe_logical is not<br /> the first case of adjusting the best extent, that is, new_bex_end &gt; 0, the<br /> following BUG_ON will be triggered:<br /> <br /> =========================================================<br /> kernel BUG at fs/ext4/mballoc.c:5116!<br /> invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279<br /> RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430<br /> Call Trace:<br /> <br /> ext4_mb_use_best_found+0x203/0x2f0<br /> ext4_mb_try_best_found+0x163/0x240<br /> ext4_mb_regular_allocator+0x158/0x1550<br /> ext4_mb_new_blocks+0x86a/0xe10<br /> ext4_ext_map_blocks+0xb0c/0x13a0<br /> ext4_map_blocks+0x2cd/0x8f0<br /> ext4_iomap_begin+0x27b/0x400<br /> iomap_iter+0x222/0x3d0<br /> __iomap_dio_rw+0x243/0xcb0<br /> iomap_dio_rw+0x16/0x80<br /> =========================================================<br /> <br /> A simple reproducer demonstrating the problem:<br /> <br /> mkfs.ext4 -F /dev/sda -b 4096 100M<br /> mount /dev/sda /tmp/test<br /> fallocate -l1M /tmp/test/tmp<br /> fallocate -l10M /tmp/test/file<br /> fallocate -i -o 1M -l16777203M /tmp/test/file<br /> fsstress -d /tmp/test -l 0 -n 100000 -p 8 &amp;<br /> sleep 10 &amp;&amp; killall -9 fsstress<br /> rm -f /tmp/test/tmp<br /> xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192"<br /> <br /> We simply refactor the logic for adjusting the best extent by adding<br /> a temporary ext4_free_extent ex and use extent_logical_end() to avoid<br /> overflow, which also simplifies the code.