CVE-2023-54069 (GCVE-0-2023-54069)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
Title
ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
When we calculate the end position of ext4_free_extent, this position may
be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if
ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the
computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not
the first case of adjusting the best extent, that is, new_bex_end > 0, the
following BUG_ON will be triggered:
=========================================================
kernel BUG at fs/ext4/mballoc.c:5116!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279
RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430
Call Trace:
<TASK>
ext4_mb_use_best_found+0x203/0x2f0
ext4_mb_try_best_found+0x163/0x240
ext4_mb_regular_allocator+0x158/0x1550
ext4_mb_new_blocks+0x86a/0xe10
ext4_ext_map_blocks+0xb0c/0x13a0
ext4_map_blocks+0x2cd/0x8f0
ext4_iomap_begin+0x27b/0x400
iomap_iter+0x222/0x3d0
__iomap_dio_rw+0x243/0xcb0
iomap_dio_rw+0x16/0x80
=========================================================
A simple reproducer demonstrating the problem:
mkfs.ext4 -F /dev/sda -b 4096 100M
mount /dev/sda /tmp/test
fallocate -l1M /tmp/test/tmp
fallocate -l10M /tmp/test/file
fallocate -i -o 1M -l16777203M /tmp/test/file
fsstress -d /tmp/test -l 0 -n 100000 -p 8 &
sleep 10 && killall -9 fsstress
rm -f /tmp/test/tmp
xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192"
We simply refactor the logic for adjusting the best extent by adding
a temporary ext4_free_extent ex and use extent_logical_end() to avoid
overflow, which also simplifies the code.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8659c5f4ffaacbe932849b98462c3d635b4eacea , < 83ecffd40c65844a73c2e93d7c841455786605ac
(git)
Affected: fc7237e191b99f88e859316fab2b06c2c26c8344 , < 58fe961c606c446f5612f6897827b1cac42c2e89 (git) Affected: 613f6cde5ebb005a37fda117cdda7b4126170c13 , < f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1 (git) Affected: 9d4430b7f862ce8835ca4e054b6916d15c8e0862 , < fcefddf3a151b2c416b20120c06bb1ba9ad676fb (git) Affected: 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9 , < b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90 (git) Affected: 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9 , < bc056e7163ac7db945366de219745cf94f32a3e6 (git) Affected: 46772ab99409cc72241227dd8f5295f358233fda (git) Affected: 25a60b4533268477920faaeebd99e7e69c0735cd (git) Affected: cec4ef62b36b04e0bc8905732adab091f4bc1cfd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83ecffd40c65844a73c2e93d7c841455786605ac",
"status": "affected",
"version": "8659c5f4ffaacbe932849b98462c3d635b4eacea",
"versionType": "git"
},
{
"lessThan": "58fe961c606c446f5612f6897827b1cac42c2e89",
"status": "affected",
"version": "fc7237e191b99f88e859316fab2b06c2c26c8344",
"versionType": "git"
},
{
"lessThan": "f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1",
"status": "affected",
"version": "613f6cde5ebb005a37fda117cdda7b4126170c13",
"versionType": "git"
},
{
"lessThan": "fcefddf3a151b2c416b20120c06bb1ba9ad676fb",
"status": "affected",
"version": "9d4430b7f862ce8835ca4e054b6916d15c8e0862",
"versionType": "git"
},
{
"lessThan": "b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90",
"status": "affected",
"version": "93cdf49f6eca5e23f6546b8f28457b2e6a6961d9",
"versionType": "git"
},
{
"lessThan": "bc056e7163ac7db945366de219745cf94f32a3e6",
"status": "affected",
"version": "93cdf49f6eca5e23f6546b8f28457b2e6a6961d9",
"versionType": "git"
},
{
"status": "affected",
"version": "46772ab99409cc72241227dd8f5295f358233fda",
"versionType": "git"
},
{
"status": "affected",
"version": "25a60b4533268477920faaeebd99e7e69c0735cd",
"versionType": "git"
},
{
"status": "affected",
"version": "cec4ef62b36b04e0bc8905732adab091f4bc1cfd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.260",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.260",
"versionStartIncluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.200",
"versionStartIncluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.138",
"versionStartIncluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.61",
"versionStartIncluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix BUG in ext4_mb_new_inode_pa() due to overflow\n\nWhen we calculate the end position of ext4_free_extent, this position may\nbe exactly where ext4_lblk_t (i.e. uint) overflows. For example, if\nac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the\ncomputed end is 0x100000000, which is 0. If ac-\u003eac_o_ex.fe_logical is not\nthe first case of adjusting the best extent, that is, new_bex_end \u003e 0, the\nfollowing BUG_ON will be triggered:\n\n=========================================================\nkernel BUG at fs/ext4/mballoc.c:5116!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279\nRIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430\nCall Trace:\n \u003cTASK\u003e\n ext4_mb_use_best_found+0x203/0x2f0\n ext4_mb_try_best_found+0x163/0x240\n ext4_mb_regular_allocator+0x158/0x1550\n ext4_mb_new_blocks+0x86a/0xe10\n ext4_ext_map_blocks+0xb0c/0x13a0\n ext4_map_blocks+0x2cd/0x8f0\n ext4_iomap_begin+0x27b/0x400\n iomap_iter+0x222/0x3d0\n __iomap_dio_rw+0x243/0xcb0\n iomap_dio_rw+0x16/0x80\n=========================================================\n\nA simple reproducer demonstrating the problem:\n\n\tmkfs.ext4 -F /dev/sda -b 4096 100M\n\tmount /dev/sda /tmp/test\n\tfallocate -l1M /tmp/test/tmp\n\tfallocate -l10M /tmp/test/file\n\tfallocate -i -o 1M -l16777203M /tmp/test/file\n\tfsstress -d /tmp/test -l 0 -n 100000 -p 8 \u0026\n\tsleep 10 \u0026\u0026 killall -9 fsstress\n\trm -f /tmp/test/tmp\n\txfs_io -c \"open -ad /tmp/test/file\" -c \"pwrite -S 0xff 0 8192\"\n\nWe simply refactor the logic for adjusting the best extent by adding\na temporary ext4_free_extent ex and use extent_logical_end() to avoid\noverflow, which also simplifies the code."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:13.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83ecffd40c65844a73c2e93d7c841455786605ac"
},
{
"url": "https://git.kernel.org/stable/c/58fe961c606c446f5612f6897827b1cac42c2e89"
},
{
"url": "https://git.kernel.org/stable/c/f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1"
},
{
"url": "https://git.kernel.org/stable/c/fcefddf3a151b2c416b20120c06bb1ba9ad676fb"
},
{
"url": "https://git.kernel.org/stable/c/b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90"
},
{
"url": "https://git.kernel.org/stable/c/bc056e7163ac7db945366de219745cf94f32a3e6"
}
],
"title": "ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54069",
"datePublished": "2025-12-24T12:23:13.504Z",
"dateReserved": "2025-12-24T12:21:05.093Z",
"dateUpdated": "2025-12-24T12:23:13.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54069\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:08.747\",\"lastModified\":\"2025-12-24T13:16:08.747\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix BUG in ext4_mb_new_inode_pa() due to overflow\\n\\nWhen we calculate the end position of ext4_free_extent, this position may\\nbe exactly where ext4_lblk_t (i.e. uint) overflows. For example, if\\nac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the\\ncomputed end is 0x100000000, which is 0. If ac-\u003eac_o_ex.fe_logical is not\\nthe first case of adjusting the best extent, that is, new_bex_end \u003e 0, the\\nfollowing BUG_ON will be triggered:\\n\\n=========================================================\\nkernel BUG at fs/ext4/mballoc.c:5116!\\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\\nCPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279\\nRIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430\\nCall Trace:\\n \u003cTASK\u003e\\n ext4_mb_use_best_found+0x203/0x2f0\\n ext4_mb_try_best_found+0x163/0x240\\n ext4_mb_regular_allocator+0x158/0x1550\\n ext4_mb_new_blocks+0x86a/0xe10\\n ext4_ext_map_blocks+0xb0c/0x13a0\\n ext4_map_blocks+0x2cd/0x8f0\\n ext4_iomap_begin+0x27b/0x400\\n iomap_iter+0x222/0x3d0\\n __iomap_dio_rw+0x243/0xcb0\\n iomap_dio_rw+0x16/0x80\\n=========================================================\\n\\nA simple reproducer demonstrating the problem:\\n\\n\\tmkfs.ext4 -F /dev/sda -b 4096 100M\\n\\tmount /dev/sda /tmp/test\\n\\tfallocate -l1M /tmp/test/tmp\\n\\tfallocate -l10M /tmp/test/file\\n\\tfallocate -i -o 1M -l16777203M /tmp/test/file\\n\\tfsstress -d /tmp/test -l 0 -n 100000 -p 8 \u0026\\n\\tsleep 10 \u0026\u0026 killall -9 fsstress\\n\\trm -f /tmp/test/tmp\\n\\txfs_io -c \\\"open -ad /tmp/test/file\\\" -c \\\"pwrite -S 0xff 0 8192\\\"\\n\\nWe simply refactor the logic for adjusting the best extent by adding\\na temporary ext4_free_extent ex and use extent_logical_end() to avoid\\noverflow, which also simplifies the code.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/58fe961c606c446f5612f6897827b1cac42c2e89\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/83ecffd40c65844a73c2e93d7c841455786605ac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bc056e7163ac7db945366de219745cf94f32a3e6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fcefddf3a151b2c416b20120c06bb1ba9ad676fb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…