CVE-2023-53564

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix defrag path triggering jbd2 ASSERT<br /> <br /> code path:<br /> <br /> ocfs2_ioctl_move_extents<br /> ocfs2_move_extents<br /> ocfs2_defrag_extent<br /> __ocfs2_move_extent<br /> + ocfs2_journal_access_di<br /> + ocfs2_split_extent //sub-paths call jbd2_journal_restart<br /> + ocfs2_journal_dirty //crash by jbs2 ASSERT<br /> <br /> crash stacks:<br /> <br /> PID: 11297 TASK: ffff974a676dcd00 CPU: 67 COMMAND: "defragfs.ocfs2"<br /> #0 [ffffb25d8dad3900] machine_kexec at ffffffff8386fe01<br /> #1 [ffffb25d8dad3958] __crash_kexec at ffffffff8395959d<br /> #2 [ffffb25d8dad3a20] crash_kexec at ffffffff8395a45d<br /> #3 [ffffb25d8dad3a38] oops_end at ffffffff83836d3f<br /> #4 [ffffb25d8dad3a58] do_trap at ffffffff83833205<br /> #5 [ffffb25d8dad3aa0] do_invalid_op at ffffffff83833aa6<br /> #6 [ffffb25d8dad3ac0] invalid_op at ffffffff84200d18<br /> [exception RIP: jbd2_journal_dirty_metadata+0x2ba]<br /> RIP: ffffffffc09ca54a RSP: ffffb25d8dad3b70 RFLAGS: 00010207<br /> RAX: 0000000000000000 RBX: ffff9706eedc5248 RCX: 0000000000000000<br /> RDX: 0000000000000001 RSI: ffff97337029ea28 RDI: ffff9706eedc5250<br /> RBP: ffff9703c3520200 R8: 000000000f46b0b2 R9: 0000000000000000<br /> R10: 0000000000000001 R11: 00000001000000fe R12: ffff97337029ea28<br /> R13: 0000000000000000 R14: ffff9703de59bf60 R15: ffff9706eedc5250<br /> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018<br /> #7 [ffffb25d8dad3ba8] ocfs2_journal_dirty at ffffffffc137fb95 [ocfs2]<br /> #8 [ffffb25d8dad3be8] __ocfs2_move_extent at ffffffffc139a950 [ocfs2]<br /> #9 [ffffb25d8dad3c80] ocfs2_defrag_extent at ffffffffc139b2d2 [ocfs2]<br /> <br /> Analysis<br /> <br /> This bug has the same root cause of &amp;#39;commit 7f27ec978b0e ("ocfs2: call<br /> ocfs2_journal_access_di() before ocfs2_journal_dirty() in<br /> ocfs2_write_end_nolock()")&amp;#39;. For this bug, jbd2_journal_restart() is<br /> called by ocfs2_split_extent() during defragmenting.<br /> <br /> How to fix<br /> <br /> For ocfs2_split_extent() can handle journal operations totally by itself. <br /> Caller doesn&amp;#39;t need to call journal access/dirty pair, and caller only<br /> needs to call journal start/stop pair. The fix method is to remove<br /> journal access/dirty from __ocfs2_move_extent().<br /> <br /> The discussion for this patch:<br /> https://oss.oracle.com/pipermail/ocfs2-devel/2023-February/000647.html