| From bippy-1.1.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-53101: ext4: zero i_disksize when initializing the bootloader inode |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ext4: zero i_disksize when initializing the bootloader inode |
| |
| If the boot loader inode has never been used before, the |
| EXT4_IOC_SWAP_BOOT inode will initialize it, including setting the |
| i_size to 0. However, if the "never before used" boot loader has a |
| non-zero i_size, then i_disksize will be non-zero, and the |
| inconsistency between i_size and i_disksize can trigger a kernel |
| warning: |
| |
| WARNING: CPU: 0 PID: 2580 at fs/ext4/file.c:319 |
| CPU: 0 PID: 2580 Comm: bb Not tainted 6.3.0-rc1-00004-g703695902cfa |
| RIP: 0010:ext4_file_write_iter+0xbc7/0xd10 |
| Call Trace: |
| vfs_write+0x3b1/0x5c0 |
| ksys_write+0x77/0x160 |
| __x64_sys_write+0x22/0x30 |
| do_syscall_64+0x39/0x80 |
| |
| Reproducer: |
| 1. create corrupted image and mount it: |
| mke2fs -t ext4 /tmp/foo.img 200 |
| debugfs -wR "sif <5> size 25700" /tmp/foo.img |
| mount -t ext4 /tmp/foo.img /mnt |
| cd /mnt |
| echo 123 > file |
| 2. Run the reproducer program: |
| posix_memalign(&buf, 1024, 1024) |
| fd = open("file", O_RDWR | O_DIRECT); |
| ioctl(fd, EXT4_IOC_SWAP_BOOT); |
| write(fd, buf, 1024); |
| |
| Fix this by setting i_disksize as well as i_size to zero when |
| initiaizing the boot loader inode. |
| |
| The Linux kernel CVE team has assigned CVE-2023-53101 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 4.14.310 with commit d6c1447e483c05dbcfb3ff77ac04237a82070b8c |
| Fixed in 4.19.278 with commit 59eee0cdf8c036f554add97a4da7c06d7a9ff34a |
| Fixed in 5.4.237 with commit 0d8a6c9a6415999fee1259ccf1796480c026b7d6 |
| Fixed in 5.10.175 with commit 3f00c476da8fe7c4c34ea16abb55d74127120413 |
| Fixed in 5.15.103 with commit 01a821aacc64d4b05dafd239dbc9b7856686002f |
| Fixed in 6.1.20 with commit 9cb27b1e76f0cc886ac09055bc41c0ab3f205167 |
| Fixed in 6.2.7 with commit 9e9a4cc5486356158554f6ad73027d8635a48b34 |
| Fixed in 6.3 with commit f5361da1e60d54ec81346aee8e3d8baf1be0b762 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-53101 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/ext4/ioctl.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/d6c1447e483c05dbcfb3ff77ac04237a82070b8c |
| https://git.kernel.org/stable/c/59eee0cdf8c036f554add97a4da7c06d7a9ff34a |
| https://git.kernel.org/stable/c/0d8a6c9a6415999fee1259ccf1796480c026b7d6 |
| https://git.kernel.org/stable/c/3f00c476da8fe7c4c34ea16abb55d74127120413 |
| https://git.kernel.org/stable/c/01a821aacc64d4b05dafd239dbc9b7856686002f |
| https://git.kernel.org/stable/c/9cb27b1e76f0cc886ac09055bc41c0ab3f205167 |
| https://git.kernel.org/stable/c/9e9a4cc5486356158554f6ad73027d8635a48b34 |
| https://git.kernel.org/stable/c/f5361da1e60d54ec81346aee8e3d8baf1be0b762 |
