Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-53584

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/10/2025
Last modified:
06/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ubifs: ubifs_releasepage: Remove ubifs_assert(0) to valid this process<br /> <br /> There are two states for ubifs writing pages:<br /> 1. Dirty, Private<br /> 2. Not Dirty, Not Private<br /> <br /> The normal process cannot go to ubifs_releasepage() which means there<br /> exists pages being private but not dirty. Reproducer[1] shows that it<br /> could occur (which maybe related to [2]) with following process:<br /> <br /> PA PB PC<br /> lock(page)[PA]<br /> ubifs_write_end<br /> attach_page_private // set Private<br /> __set_page_dirty_nobuffers // set Dirty<br /> unlock(page)<br /> <br /> write_cache_pages[PA]<br /> lock(page)<br /> clear_page_dirty_for_io(page) // clear Dirty<br /> ubifs_writepage<br /> <br /> do_truncation[PB]<br /> truncate_setsize<br /> i_size_write(inode, newsize) // newsize = 0<br /> <br /> i_size = i_size_read(inode) // i_size = 0<br /> end_index = i_size &gt;&gt; PAGE_SHIFT<br /> if (page-&gt;index &gt; end_index)<br /> goto out // jump<br /> out:<br /> unlock(page) // Private, Not Dirty<br /> <br /> generic_fadvise[PC]<br /> lock(page)<br /> invalidate_inode_page<br /> try_to_release_page<br /> ubifs_releasepage<br /> ubifs_assert(c, 0)<br /> // bad assertion!<br /> unlock(page)<br /> truncate_pagecache[PB]<br /> <br /> Then we may get following assertion failed:<br /> UBIFS error (ubi0:0 pid 1683): ubifs_assert_failed [ubifs]:<br /> UBIFS assert failed: 0, in fs/ubifs/file.c:1513<br /> UBIFS warning (ubi0:0 pid 1683): ubifs_ro_mode [ubifs]:<br /> switched to read-only mode, error -22<br /> CPU: 2 PID: 1683 Comm: aa Not tainted 5.16.0-rc5-00184-g0bca5994cacc-dirty #308<br /> Call Trace:<br /> dump_stack+0x13/0x1b<br /> ubifs_ro_mode+0x54/0x60 [ubifs]<br /> ubifs_assert_failed+0x4b/0x80 [ubifs]<br /> ubifs_releasepage+0x67/0x1d0 [ubifs]<br /> try_to_release_page+0x57/0xe0<br /> invalidate_inode_page+0xfb/0x130<br /> __invalidate_mapping_pages+0xb9/0x280<br /> invalidate_mapping_pagevec+0x12/0x20<br /> generic_fadvise+0x303/0x3c0<br /> ksys_fadvise64_64+0x4c/0xb0<br /> <br /> [1] https://bugzilla.kernel.org/show_bug.cgi?id=215373<br /> [2] https://linux-mtd.infradead.narkive.com/NQoBeT1u/patch-rfc-ubifs-fix-assert-failed-in-ubifs-set-page-dirty

Impact

References to Advisories, Solutions, and Tools