GHSA-Q9QX-6P6C-FW88

Vulnerability from github – Published: 2025-12-09 03:31 – Updated: 2025-12-09 03:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix rbtree traversal bug in ext4_mb_use_preallocated

During allocations, while looking for preallocations(PA) in the per inode rbtree, we can't do a direct traversal of the tree because ext4_mb_discard_group_preallocation() can paralelly mark the pa deleted and that can cause direct traversal to skip some entries. This was leading to a BUG_ON() being hit [1] when we missed a PA that could satisfy our request and ultimately tried to create a new PA that would overlap with the missed one.

To makes sure we handle that case while still keeping the performance of the rbtree, we make use of the fact that the only pa that could possibly overlap the original goal start is the one that satisfies the below conditions:

  1. It must have it's logical start immediately to the left of (ie less than) original logical start.

  2. It must not be deleted

To find this pa we use the following traversal method:

  1. Descend into the rbtree normally to find the immediate neighboring PA. Here we keep descending irrespective of if the PA is deleted or if it overlaps with our request etc. The goal is to find an immediately adjacent PA.

  2. If the found PA is on right of original goal, use rb_prev() to find the left adjacent PA.

  3. Check if this PA is deleted and keep moving left with rb_prev() until a non deleted PA is found.

  4. This is the PA we are looking for. Now we can check if it can satisfy the original request and proceed accordingly.

This approach also takes care of having deleted PAs in the tree.

(While we are at it, also fix a possible overflow bug in calculating the end of a PA)

[1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53813"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T01:16:53Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix rbtree traversal bug in ext4_mb_use_preallocated\n\nDuring allocations, while looking for preallocations(PA) in the per\ninode rbtree, we can\u0027t do a direct traversal of the tree because\next4_mb_discard_group_preallocation() can paralelly mark the pa deleted\nand that can cause direct traversal to skip some entries. This was\nleading to a BUG_ON() being hit [1] when we missed a PA that could satisfy\nour request and ultimately tried to create a new PA that would overlap\nwith the missed one.\n\nTo makes sure we handle that case while still keeping the performance of\nthe rbtree, we make use of the fact that the only pa that could possibly\noverlap the original goal start is the one that satisfies the below\nconditions:\n\n  1. It must have it\u0027s logical start immediately to the left of\n  (ie less than) original logical start.\n\n  2. It must not be deleted\n\nTo find this pa we use the following traversal method:\n\n1. Descend into the rbtree normally to find the immediate neighboring\nPA. Here we keep descending irrespective of if the PA is deleted or if\nit overlaps with our request etc. The goal is to find an immediately\nadjacent PA.\n\n2. If the found PA is on right of original goal, use rb_prev() to find\nthe left adjacent PA.\n\n3. Check if this PA is deleted and keep moving left with rb_prev() until\na non deleted PA is found.\n\n4. This is the PA we are looking for. Now we can check if it can satisfy\nthe original request and proceed accordingly.\n\nThis approach also takes care of having deleted PAs in the tree.\n\n(While we are at it, also fix a possible overflow bug in calculating the\nend of a PA)\n\n[1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/",
  "id": "GHSA-q9qx-6p6c-fw88",
  "modified": "2025-12-09T03:31:11Z",
  "published": "2025-12-09T03:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53813"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/339fee69a1daa71d6f97e47a867e2c32419a2406"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d3de7ee192a6a253f475197fe4d2e2af10a731f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.