Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-53846— f2fs: fix to do sanity check on direct node in truncate_dnode()

EPSS 0.02% · P6
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-53846

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
f2fs: fix to do sanity check on direct node in truncate_dnode()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on direct node in truncate_dnode() syzbot reports below bug: BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574 Read of size 4 at addr ffff88802a25c000 by task syz-executor148/5000 CPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574 truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944 f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154 f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721 f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749 f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799 f2fs_truncate include/linux/fs.h:825 [inline] f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006 notify_change+0xb2c/0x1180 fs/attr.c:483 do_truncate+0x143/0x200 fs/open.c:66 handle_truncate fs/namei.c:3295 [inline] do_open fs/namei.c:3640 [inline] path_openat+0x2083/0x2750 fs/namei.c:3791 do_filp_open+0x1ba/0x410 fs/namei.c:3818 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356 do_sys_open fs/open.c:1372 [inline] __do_sys_creat fs/open.c:1448 [inline] __se_sys_creat fs/open.c:1442 [inline] __x64_sys_creat+0xcd/0x120 fs/open.c:1442 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is, inodeA references inodeB via inodeB's ino, once inodeA is truncated, it calls truncate_dnode() to truncate data blocks in inodeB's node page, it traverse mapping data from node->i.i_addr[0] to node->i.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access. This patch fixes to add sanity check on dnode page in truncate_dnode(), so that, it can help to avoid triggering such issue, and once it encounters such issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE error into superblock, later fsck can detect such issue and try repairing. Also, it removes f2fs_truncate_data_blocks() for cleanup due to the function has only one caller, and uses f2fs_truncate_data_blocks_range() instead.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于f2fs在truncate_dnode中未对直接节点进行完整性检查,可能导致内存损坏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 ~ af0f716ad3b039cab9d426da63a5ee6c88751185 -
LinuxLinux 3.8 -

II. Public POCs for CVE-2023-53846

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-53846

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-12-09 · 152 CVEs total

CVE-2023-53826ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
CVE-2023-53845nilfs2: fix infinite loop in nilfs_mdt_get_block()
CVE-2023-53844drm/ttm: Don't leak a resource on swapout move error
CVE-2023-53843net: openvswitch: reject negative ifindex
CVE-2023-53842ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove
CVE-2023-53841devlink: report devlink_port_type_warn source device
CVE-2023-53840usb: early: xhci-dbc: Fix a potential out-of-bound memory access
CVE-2023-53839dccp: fix data-race around dp->dccps_mss_cache
CVE-2023-53838f2fs: synchronize atomic write aborts
CVE-2023-53837drm/msm: fix NULL-deref on snapshot tear down
CVE-2023-53836bpf, sockmap: Fix skb refcnt race after locking changes
CVE-2023-53834iio: adc: ina2xx: avoid NULL pointer dereference on OF device match
CVE-2023-53833drm/i915: Fix NULL ptr deref by checking new_crtc_state
CVE-2023-53832md/raid10: fix null-ptr-deref in raid10_sync_request
CVE-2023-53831net: read sk->sk_family once in sk_mc_loop()
CVE-2023-53830platform/x86: think-lmi: Fix memory leak when showing current settings
CVE-2023-53829f2fs: flush inode if atomic file is aborted
CVE-2023-53828Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()
CVE-2023-53827Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
CVE-2022-50674riscv: vdso: fix NULL deference in vdso_join_timens() when vfork

Showing top 20 of 152 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2023-53846

No comments yet

Leave a comment