CVE-2023-53763

In the Linux kernel, the following vulnerability has been resolved:

Revert "f2fs: fix to do sanity check on extent cache correctly"

syzbot reports a f2fs bug as below:

UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3275:19 index 1409 is out of range for type '__le32[923]' (aka 'unsigned int[923]') Call Trace: __dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x1e7/0x2d0 lib/dumpstack.c:106 ubsanepilogue lib/ubsan.c:217 [inline] __ubsanhandleoutofbounds+0x11c/0x150 lib/ubsan.c:348 inlinedataaddr fs/f2fs/f2fs.h:3275 [inline] __recoverinlinestatus fs/f2fs/inode.c:113 [inline] doreadinode fs/f2fs/inode.c:480 [inline] f2fsiget+0x4730/0x48b0 fs/f2fs/inode.c:604 f2fsfillsuper+0x640e/0x80c0 fs/f2fs/super.c:4601 mountbdev+0x276/0x3b0 fs/super.c:1391 legacygettree+0xef/0x190 fs/fscontext.c:611 vfsgettree+0x8c/0x270 fs/super.c:1519 donewmount+0x28f/0xae0 fs/namespace.c:3335 domount fs/namespace.c:3675 [inline] __dosysmount fs/namespace.c:3884 [inline] __sesysmount+0x2d9/0x3c0 fs/namespace.c:3861 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

The issue was bisected to:

commit d48a7b3a72f121655d95b5157c32c7d555e44c05 Author: Chao Yu chao@kernel.org Date: Mon Jan 9 03:49:20 2023 +0000

f2fs: fix to do sanity check on extent cache correctly

The root cause is we applied both v1 and v2 of the patch, v2 is the right fix, so it needs to revert v1 in order to fix reported issue.

v1: commit d48a7b3a72f1 ("f2fs: fix to do sanity check on extent cache correctly") https://lore.kernel.org/lkml/20230109034920.492914-1-chao@kernel.org/

v2: commit 269d11948100 ("f2fs: fix to do sanity check on extent cache correctly") https://lore.kernel.org/lkml/20230207134808.1827869-1-chao@kernel.org/