Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

017 - Ir a la línea de ayuda en Ciberseguridad    Ir a Agenda     Ir a Sala de prensa     Ir a suscripción de boletines

Ir al buscador

CVE-2023-53813

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/12/2025
Última modificación:
09/12/2025

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix rbtree traversal bug in ext4_mb_use_preallocated<br /> <br /> During allocations, while looking for preallocations(PA) in the per<br /> inode rbtree, we can&amp;#39;t do a direct traversal of the tree because<br /> ext4_mb_discard_group_preallocation() can paralelly mark the pa deleted<br /> and that can cause direct traversal to skip some entries. This was<br /> leading to a BUG_ON() being hit [1] when we missed a PA that could satisfy<br /> our request and ultimately tried to create a new PA that would overlap<br /> with the missed one.<br /> <br /> To makes sure we handle that case while still keeping the performance of<br /> the rbtree, we make use of the fact that the only pa that could possibly<br /> overlap the original goal start is the one that satisfies the below<br /> conditions:<br /> <br /> 1. It must have it&amp;#39;s logical start immediately to the left of<br /> (ie less than) original logical start.<br /> <br /> 2. It must not be deleted<br /> <br /> To find this pa we use the following traversal method:<br /> <br /> 1. Descend into the rbtree normally to find the immediate neighboring<br /> PA. Here we keep descending irrespective of if the PA is deleted or if<br /> it overlaps with our request etc. The goal is to find an immediately<br /> adjacent PA.<br /> <br /> 2. If the found PA is on right of original goal, use rb_prev() to find<br /> the left adjacent PA.<br /> <br /> 3. Check if this PA is deleted and keep moving left with rb_prev() until<br /> a non deleted PA is found.<br /> <br /> 4. This is the PA we are looking for. Now we can check if it can satisfy<br /> the original request and proceed accordingly.<br /> <br /> This approach also takes care of having deleted PAs in the tree.<br /> <br /> (While we are at it, also fix a possible overflow bug in calculating the<br /> end of a PA)<br /> <br /> [1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/

Impacto

Referencias a soluciones, herramientas e información