CVE-2023-53323

In the Linux kernel, the following vulnerability has been resolved:

ext2/dax: Fix ext2_setsize when len is page aligned

PAGEALIGN(x) macro gives the next highest value which is multiple of pagesize. But if x is already page aligned then it simply returns x. So, if x passed is 0 in daxzerorange() function, that means the length gets passed as 0 to ->iomapbegin().

In ext2 it then calls ext2getblocks -> maxblocks as 0 and hits bugon here in ext2getblocks(). BUG_ON(maxblocks == 0);

Instead we should be calling daxtruncatepage() here which takes care of it. i.e. it only calls daxzerorange if the offset is not page/block aligned.

This can be easily triggered with following on fsdax mounted pmem device.

dd if=/dev/zero of=file count=1 bs=512 truncate -s 0 file

[79.525838] EXT2-fs (pmem0): DAX enabled. Warning: EXPERIMENTAL, use at your own risk [79.529376] ext2 filesystem being mounted at /mnt1/test supports timestamps until 2038 (0x7fffffff) [93.793207] ------------[ cut here ]------------ [93.795102] kernel BUG at fs/ext2/inode.c:637! [93.796904] invalid opcode: 0000 [#1] PREEMPT SMP PTI [93.798659] CPU: 0 PID: 1192 Comm: truncate Not tainted 6.3.0-rc2-xfstests-00056-g131086faa369 #139 [93.806459] RIP: 0010:ext2getblocks.constprop.0+0x524/0x610 <...> [93.835298] Call Trace: [93.836253] <TASK> [93.837103] ? lockacquire+0xf8/0x110 [93.838479] ? dlookup+0x69/0xd0 [93.839779] ext2iomapbegin+0xa7/0x1c0 [93.841154] iomapiter+0xc7/0x150 [93.842425] daxzerorange+0x6e/0xa0 [93.843813] ext2setsize+0x176/0x1b0 [93.845164] ext2setattr+0x151/0x200 [93.846467] notifychange+0x341/0x4e0 [93.847805] ? lockacquire+0xf8/0x110 [93.849143] ? dotruncate+0x74/0xe0 [93.850452] ? dotruncate+0x84/0xe0 [93.851739] dotruncate+0x84/0xe0 [93.852974] dosysftruncate+0x2b4/0x2f0 [93.854404] dosyscall64+0x3f/0x90 [93.855789] entrySYSCALL64afterhwframe+0x72/0xdc