CVE-2023-53317

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix WARNING in mb_find_extent<br /> <br /> Syzbot found the following issue:<br /> <br /> EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!<br /> EXT4-fs (loop0): orphan cleanup on readonly fs<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 5067 at fs/ext4/mballoc.c:1869 mb_find_extent+0x8a1/0xe30<br /> Modules linked in:<br /> CPU: 1 PID: 5067 Comm: syz-executor307 Not tainted 6.2.0-rc1-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022<br /> RIP: 0010:mb_find_extent+0x8a1/0xe30 fs/ext4/mballoc.c:1869<br /> RSP: 0018:ffffc90003c9e098 EFLAGS: 00010293<br /> RAX: ffffffff82405731 RBX: 0000000000000041 RCX: ffff8880783457c0<br /> RDX: 0000000000000000 RSI: 0000000000000041 RDI: 0000000000000040<br /> RBP: 0000000000000040 R08: ffffffff82405723 R09: ffffed10053c9402<br /> R10: ffffed10053c9402 R11: 1ffff110053c9401 R12: 0000000000000000<br /> R13: ffffc90003c9e538 R14: dffffc0000000000 R15: ffffc90003c9e2cc<br /> FS: 0000555556665300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000056312f6796f8 CR3: 0000000022437000 CR4: 00000000003506e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ext4_mb_complex_scan_group+0x353/0x1100 fs/ext4/mballoc.c:2307<br /> ext4_mb_regular_allocator+0x1533/0x3860 fs/ext4/mballoc.c:2735<br /> ext4_mb_new_blocks+0xddf/0x3db0 fs/ext4/mballoc.c:5605<br /> ext4_ext_map_blocks+0x1868/0x6880 fs/ext4/extents.c:4286<br /> ext4_map_blocks+0xa49/0x1cc0 fs/ext4/inode.c:651<br /> ext4_getblk+0x1b9/0x770 fs/ext4/inode.c:864<br /> ext4_bread+0x2a/0x170 fs/ext4/inode.c:920<br /> ext4_quota_write+0x225/0x570 fs/ext4/super.c:7105<br /> write_blk fs/quota/quota_tree.c:64 [inline]<br /> get_free_dqblk+0x34a/0x6d0 fs/quota/quota_tree.c:130<br /> do_insert_tree+0x26b/0x1aa0 fs/quota/quota_tree.c:340<br /> do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375<br /> do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375<br /> do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375<br /> dq_insert_tree fs/quota/quota_tree.c:401 [inline]<br /> qtree_write_dquot+0x3b6/0x530 fs/quota/quota_tree.c:420<br /> v2_write_dquot+0x11b/0x190 fs/quota/quota_v2.c:358<br /> dquot_acquire+0x348/0x670 fs/quota/dquot.c:444<br /> ext4_acquire_dquot+0x2dc/0x400 fs/ext4/super.c:6740<br /> dqget+0x999/0xdc0 fs/quota/dquot.c:914<br /> __dquot_initialize+0x3d0/0xcf0 fs/quota/dquot.c:1492<br /> ext4_process_orphan+0x57/0x2d0 fs/ext4/orphan.c:329<br /> ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474<br /> __ext4_fill_super fs/ext4/super.c:5516 [inline]<br /> ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644<br /> get_tree_bdev+0x400/0x620 fs/super.c:1282<br /> vfs_get_tree+0x88/0x270 fs/super.c:1489<br /> do_new_mount+0x289/0xad0 fs/namespace.c:3145<br /> do_mount fs/namespace.c:3488 [inline]<br /> __do_sys_mount fs/namespace.c:3697 [inline]<br /> __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Add some debug information:<br /> mb_find_extent: mb_find_extent block=41, order=0 needed=64 next=0 ex=0/41/1@3735929054 64 64 7<br /> block_bitmap: ff 3f 0c 00 fc 01 00 00 d2 3d 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> <br /> Acctually, blocks per group is 64, but block bitmap indicate at least has<br /> 128 blocks. Now, ext4_validate_block_bitmap() didn&amp;#39;t check invalid block&amp;#39;s<br /> bitmap if set.<br /> To resolve above issue, add check like fsck "Padding at end of block bitmap is<br /> not set".