{"id":"CVE-2023-53692","summary":"ext4: fix use-after-free read in ext4_find_extent for bigalloc + inline","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free read in ext4_find_extent for bigalloc + inline\n\nSyzbot found the following issue:\nloop0: detected capacity change from 0 to 2048\nEXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.\n==================================================================\nBUG: KASAN: use-after-free in ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline]\nBUG: KASAN: use-after-free in ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931\nRead of size 4 at addr ffff888073644750 by task syz-executor420/5067\n\nCPU: 0 PID: 5067 Comm: syz-executor420 Not tainted 6.2.0-rc1-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:306\n print_report+0x107/0x1f0 mm/kasan/report.c:417\n kasan_report+0xcd/0x100 mm/kasan/report.c:517\n ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline]\n ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931\n ext4_clu_mapped+0x117/0x970 fs/ext4/extents.c:5809\n ext4_insert_delayed_block fs/ext4/inode.c:1696 [inline]\n ext4_da_map_blocks fs/ext4/inode.c:1806 [inline]\n ext4_da_get_block_prep+0x9e8/0x13c0 fs/ext4/inode.c:1870\n ext4_block_write_begin+0x6a8/0x2290 fs/ext4/inode.c:1098\n ext4_da_write_begin+0x539/0x760 fs/ext4/inode.c:3082\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:285\n ext4_file_write_iter+0x1d0/0x18f0\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f4b7a9737b9\nRSP: 002b:00007ffc5cac3668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4b7a9737b9\nRDX: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004\nRBP: 00007f4b7a933050 R08: 0000000000000000 R09: 0000000000000000\nR10: 000000000000079f R11: 0000000000000246 R12: 00007f4b7a9330e0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAbove issue is happens when enable bigalloc and inline data feature. As\ncommit 131294c35ed6 fixed delayed allocation bug in ext4_clu_mapped for\nbigalloc + inline. But it only resolved issue when has inline data, if\ninline data has been converted to extent(ext4_da_convert_inline_data_to_extent)\nbefore writepages, there is no EXT4_STATE_MAY_INLINE_DATA flag. However\ni_data is still store inline data in this scene. Then will trigger UAF\nwhen find extent.\nTo resolve above issue, there is need to add judge \"ext4_has_inline_data(inode)\"\nin ext4_clu_mapped().","modified":"2026-04-02T09:44:51.115324Z","published":"2025-10-22T13:23:34.702Z","related":["SUSE-SU-2025:4111-1","SUSE-SU-2025:4139-1","SUSE-SU-2025:4149-1","SUSE-SU-2025:4320-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53692.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0ce15000dee0ecd6f235f925a327803e2ef489c6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/11c87c8df2cae1d6be83c07e59fef0792de73482"},{"type":"WEB","url":"https://git.kernel.org/stable/c/14da044725a3ab10affa3566d29c15737c0e67a4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/40566def189c513be2c694681256d7486cc6e368"},{"type":"WEB","url":"https://git.kernel.org/stable/c/770b0613637f59f3091dda1ff0c23671a5326b9c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/835659598c67907b98cd2aa57bb951dfaf675c69"},{"type":"WEB","url":"https://git.kernel.org/stable/c/96d440bee177669dc0acedca0abd73bae6a9be8b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a34f6dcb78c654ab905642c1b4e7e5fbb4f0babe"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53692.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53692"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1ed1eef0551bebee8e56973ccd0900e3578edfb7"},{"fixed":"0ce15000dee0ecd6f235f925a327803e2ef489c6"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6f4200ec76a0d31200c308ec5a71c68df5417004"},{"fixed":"a34f6dcb78c654ab905642c1b4e7e5fbb4f0babe"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9404839e0c9db5a517ea83c0ca3388b39d105fdf"},{"fixed":"770b0613637f59f3091dda1ff0c23671a5326b9c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d440d6427a5e3a877c1c259b8d2b216ddb65e185"},{"fixed":"40566def189c513be2c694681256d7486cc6e368"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"81b915181c630ee1cffa052e52874fe4e1ba91ac"},{"fixed":"96d440bee177669dc0acedca0abd73bae6a9be8b"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"131294c35ed6f777bd4e79d42af13b5c41bf2775"},{"fixed":"11c87c8df2cae1d6be83c07e59fef0792de73482"},{"fixed":"14da044725a3ab10affa3566d29c15737c0e67a4"},{"fixed":"835659598c67907b98cd2aa57bb951dfaf675c69"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"c0c8edbc8abbe8f16d80a1d794d1ba2c12b6f193"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53692.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.271"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.243"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.180"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.111"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.28"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.15"},{"fixed":"6.3.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53692.json"}}],"schema_version":"1.7.5"}