CVE-2023-52786

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52786
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52786.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-52786
Downstream
Related
Published
2024-05-21T15:31:03Z
Modified
2025-10-08T17:02:48.185775Z
Summary
ext4: fix racy may inline data check in dio write
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix racy may inline data check in dio write

syzbot reports that the following warning from ext4iomapbegin() triggers as of the commit referenced below:

    if (WARN_ON_ONCE(ext4_has_inline_data(inode)))
            return -ERANGE;

This occurs during a dio write, which is never expected to encounter an inode with inline data. To enforce this behavior, ext4diowriteiter() checks the current inline state of the inode and clears the MAYINLINE_DATA state flag to either fall back to buffered writes, or enforce that any other writers in progress on the inode are not allowed to create inline data.

The problem is that the check for existing inline data and the state flag can span a lock cycle. For example, if the ilock is originally locked shared and subsequently upgraded to exclusive, another writer may have reacquired the lock and created inline data before the dio write task acquires the lock and proceeds.

The commit referenced below loosens the lock requirements to allow some forms of unaligned dio writes to occur under shared lock, but AFAICT the inline data check was technically already racy for any dio write that would have involved a lock cycle. Regardless, lift clearing of the state bit to the same lock critical section that checks for preexisting inline data on the inode to close the race.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
310ee0902b8d9d0a13a5a13e94688a5863fa29c2
Fixed
e3b83d87c93eb6fc96a80b5e8527f7dc9f5a11bc
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
310ee0902b8d9d0a13a5a13e94688a5863fa29c2
Fixed
7343c23ebcadbedc23a7063d1e24d976eccb0d0d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
310ee0902b8d9d0a13a5a13e94688a5863fa29c2
Fixed
ce56d21355cd6f6937aca32f1f44ca749d1e4808

Affected versions

v6.*

v6.4
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.5.1
v6.5.10
v6.5.11
v6.5.12
v6.5.2
v6.5.3
v6.5.4
v6.5.5
v6.5.6
v6.5.7
v6.5.8
v6.5.9
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.2

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.5.13
Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.3