DEBIAN-CVE-2023-53692

In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free read in ext4findextent for bigalloc + inline Syzbot found the following issue: loop0: detected capacity change from 0 to 2048 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none. ================================================================== BUG: KASAN: use-after-free in ext4extbinsearchidx fs/ext4/extents.c:768 [inline] BUG: KASAN: use-after-free in ext4findextent+0x76e/0xd90 fs/ext4/extents.c:931 Read of size 4 at addr ffff888073644750 by task syz-executor420/5067 CPU: 0 PID: 5067 Comm: syz-executor420 Not tainted 6.2.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x1b1/0x290 lib/dumpstack.c:106 printaddressdescription+0x74/0x340 mm/kasan/report.c:306 printreport+0x107/0x1f0 mm/kasan/report.c:417 kasanreport+0xcd/0x100 mm/kasan/report.c:517 ext4extbinsearchidx fs/ext4/extents.c:768 [inline] ext4findextent+0x76e/0xd90 fs/ext4/extents.c:931 ext4clumapped+0x117/0x970 fs/ext4/extents.c:5809 ext4insertdelayedblock fs/ext4/inode.c:1696 [inline] ext4damapblocks fs/ext4/inode.c:1806 [inline] ext4dagetblockprep+0x9e8/0x13c0 fs/ext4/inode.c:1870 ext4blockwritebegin+0x6a8/0x2290 fs/ext4/inode.c:1098 ext4dawritebegin+0x539/0x760 fs/ext4/inode.c:3082 genericperformwrite+0x2e4/0x5e0 mm/filemap.c:3772 ext4bufferedwriteiter+0x122/0x3a0 fs/ext4/file.c:285 ext4filewriteiter+0x1d0/0x18f0 callwriteiter include/linux/fs.h:2186 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x7dc/0xc50 fs/readwrite.c:584 ksyswrite+0x177/0x2a0 fs/readwrite.c:637 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x7f4b7a9737b9 RSP: 002b:00007ffc5cac3668 EFLAGS: 00000246 ORIGRAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4b7a9737b9 RDX: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004 RBP: 00007f4b7a933050 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000079f R11: 0000000000000246 R12: 00007f4b7a9330e0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Above issue is happens when enable bigalloc and inline data feature. As commit 131294c35ed6 fixed delayed allocation bug in ext4clumapped for bigalloc + inline. But it only resolved issue when has inline data, if inline data has been converted to extent(ext4daconvertinlinedatatoextent) before writepages, there is no EXT4STATEMAYINLINEDATA flag. However idata is still store inline data in this scene. Then will trigger UAF when find extent. To resolve above issue, there is need to add judge "ext4hasinlinedata(inode)" in ext4clumapped().