CVE-2023-53513

In the Linux kernel, the following vulnerability has been resolved:

nbd: fix incomplete validation of ioctl arg

We tested and found an alarm caused by nbd_ioctl arg without verification. The UBSAN warning calltrace like below:

UBSAN: Undefined behaviour in fs/buffer.c:1709:35 signed integer overflow: -9223372036854775808 - 1 cannot be represented in type 'long long int' CPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1 Hardware name: linux,dummy-virt (DT) Call trace: dumpbacktrace+0x0/0x3f0 arch/arm64/kernel/time.c:78 showstack+0x28/0x38 arch/arm64/kernel/traps.c:158 __dumpstack lib/dumpstack.c:77 [inline] dumpstack+0x170/0x1dc lib/dumpstack.c:118 ubsanepilogue+0x18/0xb4 lib/ubsan.c:161 handleoverflow+0x188/0x1dc lib/ubsan.c:192 __ubsanhandlesub_overflow+0x34/0x44 lib/ubsan.c:206 __blockwritefullpage+0x94c/0xa20 fs/buffer.c:1709 blockwritefullpage+0x1f0/0x280 fs/buffer.c:2934 blkdevwritepage+0x34/0x40 fs/blockdev.c:607 __writepage+0x68/0xe8 mm/page-writeback.c:2305 writecachepages+0x44c/0xc70 mm/page-writeback.c:2240 genericwritepages+0xdc/0x148 mm/page-writeback.c:2329 blkdevwritepages+0x2c/0x38 fs/blockdev.c:2114 dowritepages+0xd4/0x250 mm/page-writeback.c:2344

The reason for triggering this warning is __blockwritefullpage() -> isizeread(inode) - 1 overflow. inode->isize is assigned in _nbdioctl() -> nbdsetsize() -> bytesize. We think it is necessary to limit the size of arg to prevent errors.

Moreover, _nbdioctl() -> nbdaddsocket(), arg will be cast to int. Assuming the value of arg is 0x80000000000000001) (on a 64-bit machine), it will become 1 after the coercion, which will return unexpected results.

Fix it by adding checks to prevent passing in too large numbers.