CVE-2023-53317

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix WARNING in mbfindextent

Syzbot found the following issue:

EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioreadnolock, ODIRECT and fastcommit support! EXT4-fs (loop0): orphan cleanup on readonly fs ------------[ cut here ]------------ WARNING: CPU: 1 PID: 5067 at fs/ext4/mballoc.c:1869 mbfindextent+0x8a1/0xe30 Modules linked in: CPU: 1 PID: 5067 Comm: syz-executor307 Not tainted 6.2.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 RIP: 0010:mbfindextent+0x8a1/0xe30 fs/ext4/mballoc.c:1869 RSP: 0018:ffffc90003c9e098 EFLAGS: 00010293 RAX: ffffffff82405731 RBX: 0000000000000041 RCX: ffff8880783457c0 RDX: 0000000000000000 RSI: 0000000000000041 RDI: 0000000000000040 RBP: 0000000000000040 R08: ffffffff82405723 R09: ffffed10053c9402 R10: ffffed10053c9402 R11: 1ffff110053c9401 R12: 0000000000000000 R13: ffffc90003c9e538 R14: dffffc0000000000 R15: ffffc90003c9e2cc FS: 0000555556665300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056312f6796f8 CR3: 0000000022437000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ext4mbcomplexscangroup+0x353/0x1100 fs/ext4/mballoc.c:2307 ext4mbregularallocator+0x1533/0x3860 fs/ext4/mballoc.c:2735 ext4mbnewblocks+0xddf/0x3db0 fs/ext4/mballoc.c:5605 ext4extmapblocks+0x1868/0x6880 fs/ext4/extents.c:4286 ext4mapblocks+0xa49/0x1cc0 fs/ext4/inode.c:651 ext4getblk+0x1b9/0x770 fs/ext4/inode.c:864 ext4bread+0x2a/0x170 fs/ext4/inode.c:920 ext4quotawrite+0x225/0x570 fs/ext4/super.c:7105 writeblk fs/quota/quotatree.c:64 [inline] getfreedqblk+0x34a/0x6d0 fs/quota/quotatree.c:130 doinserttree+0x26b/0x1aa0 fs/quota/quotatree.c:340 doinserttree+0x722/0x1aa0 fs/quota/quotatree.c:375 doinserttree+0x722/0x1aa0 fs/quota/quotatree.c:375 doinserttree+0x722/0x1aa0 fs/quota/quotatree.c:375 dqinserttree fs/quota/quotatree.c:401 [inline] qtreewritedquot+0x3b6/0x530 fs/quota/quotatree.c:420 v2writedquot+0x11b/0x190 fs/quota/quotav2.c:358 dquotacquire+0x348/0x670 fs/quota/dquot.c:444 ext4acquiredquot+0x2dc/0x400 fs/ext4/super.c:6740 dqget+0x999/0xdc0 fs/quota/dquot.c:914 _dquotinitialize+0x3d0/0xcf0 fs/quota/dquot.c:1492 ext4processorphan+0x57/0x2d0 fs/ext4/orphan.c:329 ext4orphancleanup+0xb60/0x1340 fs/ext4/orphan.c:474 _ext4fillsuper fs/ext4/super.c:5516 [inline] ext4fillsuper+0x81cd/0x8700 fs/ext4/super.c:5644 gettreebdev+0x400/0x620 fs/super.c:1282 vfsgettree+0x88/0x270 fs/super.c:1489 donewmount+0x289/0xad0 fs/namespace.c:3145 domount fs/namespace.c:3488 [inline] _dosysmount fs/namespace.c:3697 [inline] _sesysmount+0x2d3/0x3c0 fs/namespace.c:3674 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x63/0xcd

Add some debug information: mbfindextent: mbfindextent block=41, order=0 needed=64 next=0 ex=0/41/1@3735929054 64 64 7 block_bitmap: ff 3f 0c 00 fc 01 00 00 d2 3d 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Acctually, blocks per group is 64, but block bitmap indicate at least has 128 blocks. Now, ext4validateblock_bitmap() didn't check invalid block's bitmap if set. To resolve above issue, add check like fsck "Padding at end of block bitmap is not set".