fkie_cve-2023-53270
Vulnerability from fkie_nvd
Published
2025-09-16 08:15
Modified
2025-09-16 12:49
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: fix i_disksize exceeding i_size problem in paritally written case It is possible for i_disksize can exceed i_size, triggering a warning. generic_perform_write copied = iov_iter_copy_from_user_atomic(len) // copied < len ext4_da_write_end | ext4_update_i_disksize | new_i_size = pos + copied; | WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize | generic_write_end | copied = block_write_end(copied, len) // copied = 0 | if (unlikely(copied < len)) | if (!PageUptodate(page)) | copied = 0; | if (pos + copied > inode->i_size) // return false if (unlikely(copied == 0)) goto again; if (unlikely(iov_iter_fault_in_readable(i, bytes))) { status = -EFAULT; break; } We get i_disksize greater than i_size here, which could trigger WARNING check 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio: ext4_dio_write_iter iomap_dio_rw __iomap_dio_rw // return err, length is not aligned to 512 ext4_handle_inode_extension WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319 CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2 RIP: 0010:ext4_file_write_iter+0xbc7 Call Trace: vfs_write+0x3b1 ksys_write+0x77 do_syscall_64+0x39 Fix it by updating 'copied' value before updating i_disksize just like ext4_write_inline_data_end() does. A reproducer can be found in the buganizer link below.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/18eb23891aeae3229baf8c7c23b76be3364e1967
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1dedde690303c05ef732b7c5c8356fdf60a4ade3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3ecea2fee14227712694c8b54ad99d471e61de92
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/53877ed201baa6b58f7ce9df92664a839113c30e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d30090eb546d993ea3f3023452540c476ea614a5
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix i_disksize exceeding i_size problem in paritally written case\n\nIt is possible for i_disksize can exceed i_size, triggering a warning.\n\ngeneric_perform_write\n copied = iov_iter_copy_from_user_atomic(len) // copied \u003c len\n ext4_da_write_end\n | ext4_update_i_disksize\n |  new_i_size = pos + copied;\n |  WRITE_ONCE(EXT4_I(inode)-\u003ei_disksize, newsize) // update i_disksize\n | generic_write_end\n |  copied = block_write_end(copied, len) // copied = 0\n |   if (unlikely(copied \u003c len))\n |    if (!PageUptodate(page))\n |     copied = 0;\n |  if (pos + copied \u003e inode-\u003ei_size) // return false\n if (unlikely(copied == 0))\n  goto again;\n if (unlikely(iov_iter_fault_in_readable(i, bytes))) {\n  status = -EFAULT;\n  break;\n }\n\nWe get i_disksize greater than i_size here, which could trigger WARNING\ncheck \u0027i_size_read(inode) \u003c EXT4_I(inode)-\u003ei_disksize\u0027 while doing dio:\n\next4_dio_write_iter\n iomap_dio_rw\n  __iomap_dio_rw // return err, length is not aligned to 512\n ext4_handle_inode_extension\n  WARN_ON_ONCE(i_size_read(inode) \u003c EXT4_I(inode)-\u003ei_disksize) // Oops\n\n WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319\n CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2\n RIP: 0010:ext4_file_write_iter+0xbc7\n Call Trace:\n  vfs_write+0x3b1\n  ksys_write+0x77\n  do_syscall_64+0x39\n\nFix it by updating \u0027copied\u0027 value before updating i_disksize just like\next4_write_inline_data_end() does.\n\nA reproducer can be found in the buganizer link below."
    }
  ],
  "id": "CVE-2023-53270",
  "lastModified": "2025-09-16T12:49:16.060",
  "metrics": {},
  "published": "2025-09-16T08:15:35.790",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/18eb23891aeae3229baf8c7c23b76be3364e1967"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1dedde690303c05ef732b7c5c8356fdf60a4ade3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3ecea2fee14227712694c8b54ad99d471e61de92"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/53877ed201baa6b58f7ce9df92664a839113c30e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d30090eb546d993ea3f3023452540c476ea614a5"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.