CVE-2023-53143: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ext4: fix another off-by-one fsmap error on 1k block filesystems Apparently syzbot figured out that issuing this FSMAP call: struct fsmap_head cmd = { .fmh_count = ...; .fmh_keys = { { .fmr_device = /* ext4 dev */, .fmr_physical = 0, }, { .fmr_device = /* ext4 dev */, .fmr_physical = 0, }, }, ... }; ret = ioctl(fd, FS_IOC_GETFSMAP, &cmd); Produces this crash if the underlying filesystem is a 1k-block ext4 filesystem: kernel BUG at fs/ext4/ext4.h:3331! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 3 PID: 3227965 Comm: xfs_io Tainted: G W O 6.2.0-rc8-achx Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:ext4_mb_load_buddy_gfp+0x47c/0x570 [ext4] RSP: 0018:ffffc90007c03998 EFLAGS: 00010246 RAX: ffff888004978000 RBX: ffffc90007c03a20 RCX: ffff888041618000 RDX: 0000000000000000 RSI: 00000000000005a4 RDI: ffffffffa0c99b11 RBP: ffff888012330000 R08: ffffffffa0c2b7d0 R09: 0000000000000400 R10: ffffc90007c03950 R11: 0000000000000000 R12: 0000000000000001 R13: 00000000ffffffff R14: 0000000000000c40 R15: ffff88802678c398 FS: 00007fdf2020c880(0000) GS:ffff88807e100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd318a5fe8 CR3: 000000007f80f001 CR4: 00000000001706e0 Call Trace: <TASK> ext4_mballoc_query_range+0x4b/0x210 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] ext4_getfsmap_datadev+0x713/0x890 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] ext4_getfsmap+0x2b7/0x330 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] ext4_ioc_getfsmap+0x153/0x2b0 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] __ext4_ioctl+0x2a7/0x17e0 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] __x64_sys_ioctl+0x82/0xa0 do_syscall_64+0x2b/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fdf20558aff RSP: 002b:00007ffd318a9e30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000000200c0 RCX: 00007fdf20558aff RDX: 00007fdf1feb2010 RSI: 00000000c0c0583b RDI: 0000000000000003 RBP: 00005625c0634be0 R08: 00005625c0634c40 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdf1feb2010 R13: 00005625be70d994 R14: 0000000000000800 R15: 0000000000000000 For GETFSMAP calls, the caller selects a physical block device by writing its block number into fsmap_head.fmh_keys[01].fmr_device. To query mappings for a subrange of the device, the starting byte of the range is written to fsmap_head.fmh_keys[0].fmr_physical and the last byte of the range goes in fsmap_head.fmh_keys[1].fmr_physical. IOWs, to query what mappings overlap with bytes 3-14 of /dev/sda, you'd set the inputs as follows: fmh_keys[0] = { .fmr_device = major(8, 0), .fmr_physical = 3}, fmh_keys[1] = { .fmr_device = major(8, 0), .fmr_physical = 14}, Which would return you whatever is mapped in the 12 bytes starting at physical offset 3. The crash is due to insufficient range validation of keys[1] in ext4_getfsmap_datadev. On 1k-block filesystems, block 0 is not part of the filesystem, which means that s_first_data_block is nonzero. ext4_get_group_no_and_offset subtracts this quantity from the blocknr argument before cracking it into a group number and a block number within a group. IOWs, block group 0 spans blocks 1-8192 (1-based) instead of 0-8191 (0-based) like what happens with larger blocksizes. The net result of this encoding is that blocknr < s_first_data_block is not a valid input to this function. The end_fsb variable is set from the keys that are copied from userspace, which means that in the above example, its value is zero. That leads to an underflow here: blocknr = blocknr - le32_to_cpu(es->s_first_data_block); The division then operates on -1: offset = do_div(blocknr, EXT4_BLOCKS_PER_GROUP(sb)) >> EXT4_SB(sb)->s_cluster_bits; Leaving an impossibly large group number (2^32-1) in blocknr. ext4_getfsmap_check_keys checked that keys[0 ---truncated---
AI Analysis
Technical Summary
CVE-2023-53143 is a vulnerability in the Linux kernel's ext4 filesystem implementation, specifically affecting ext4 filesystems formatted with a 1k block size. The flaw arises from an off-by-one error in the handling of the FS_IOC_GETFSMAP ioctl call, which is used to query filesystem block mappings. The vulnerability is triggered when a specially crafted fsmap_head structure is passed to the ioctl, with particular values in the fmh_keys array that specify a physical block device and a byte range. On 1k-block ext4 filesystems, the first data block is nonzero (block 0 is not part of the filesystem), which causes the kernel code to incorrectly calculate block group numbers and offsets. This leads to an underflow and an invalid large block group number, ultimately causing a kernel crash (kernel BUG) due to invalid memory access or an invalid opcode. The crash occurs in the ext4_mb_load_buddy_gfp function during block allocation metadata operations. The root cause is insufficient validation of the range specified in the ioctl call, allowing an attacker to supply out-of-range values that the kernel mishandles. This vulnerability can be triggered by any local user or process with access to the affected filesystem device node, as it requires issuing the ioctl with crafted parameters. The impact is a denial of service (DoS) via kernel panic and system crash. While no known exploits are reported in the wild yet, the vulnerability is publicly disclosed and patched in recent kernel versions. The affected versions include multiple commits identified by the same hash, indicating a range of kernel versions prior to the fix. The technical details show that the flaw is subtle and related to ext4's internal block group calculations on 1k-block filesystems, which are less common than the default 4k block size but still in use in some environments.
Potential Impact
For European organizations, this vulnerability poses a risk primarily as a local denial-of-service vector. Systems running Linux kernels with ext4 filesystems formatted with 1k block sizes can be crashed by local users or processes issuing the malformed FS_IOC_GETFSMAP ioctl call. This can disrupt critical services, cause unexpected downtime, and potentially lead to data loss if the crash occurs during sensitive operations. Although exploitation requires local access, in multi-tenant environments, shared hosting, or containerized infrastructures, an attacker with limited privileges could leverage this flaw to impact system availability. Given the widespread use of Linux in European enterprises, government agencies, and cloud providers, the vulnerability could affect servers, workstations, and embedded devices. However, the impact is limited to denial of service rather than privilege escalation or remote code execution. The lack of known exploits reduces immediate risk, but the public disclosure means attackers could develop exploits. Organizations relying on legacy or specialized ext4 filesystems with 1k block sizes should be particularly vigilant. The vulnerability may also affect embedded Linux devices used in industrial control systems or telecommunications infrastructure in Europe, where availability is critical.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix CVE-2023-53143 as soon as possible. Monitor vendor advisories and update kernels to versions that include the fix. 2. Identify and inventory systems using ext4 filesystems with 1k block sizes, as these are the only affected configurations. Consider migrating these filesystems to the more common 4k block size if feasible. 3. Restrict access to device nodes representing ext4 filesystems to trusted users only, minimizing the risk of unprivileged local users triggering the vulnerability. 4. Implement monitoring for kernel crashes and unusual ioctl calls related to FS_IOC_GETFSMAP to detect potential exploitation attempts. 5. In multi-tenant or containerized environments, enforce strict isolation and privilege separation to prevent compromised containers or users from accessing vulnerable ioctl interfaces. 6. For embedded or specialized devices, coordinate with hardware and software vendors to obtain patched firmware or kernel updates. 7. Regularly audit and harden local user permissions and system access controls to reduce the attack surface for local vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2023-53143: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix another off-by-one fsmap error on 1k block filesystems Apparently syzbot figured out that issuing this FSMAP call: struct fsmap_head cmd = { .fmh_count = ...; .fmh_keys = { { .fmr_device = /* ext4 dev */, .fmr_physical = 0, }, { .fmr_device = /* ext4 dev */, .fmr_physical = 0, }, }, ... }; ret = ioctl(fd, FS_IOC_GETFSMAP, &cmd); Produces this crash if the underlying filesystem is a 1k-block ext4 filesystem: kernel BUG at fs/ext4/ext4.h:3331! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 3 PID: 3227965 Comm: xfs_io Tainted: G W O 6.2.0-rc8-achx Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:ext4_mb_load_buddy_gfp+0x47c/0x570 [ext4] RSP: 0018:ffffc90007c03998 EFLAGS: 00010246 RAX: ffff888004978000 RBX: ffffc90007c03a20 RCX: ffff888041618000 RDX: 0000000000000000 RSI: 00000000000005a4 RDI: ffffffffa0c99b11 RBP: ffff888012330000 R08: ffffffffa0c2b7d0 R09: 0000000000000400 R10: ffffc90007c03950 R11: 0000000000000000 R12: 0000000000000001 R13: 00000000ffffffff R14: 0000000000000c40 R15: ffff88802678c398 FS: 00007fdf2020c880(0000) GS:ffff88807e100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd318a5fe8 CR3: 000000007f80f001 CR4: 00000000001706e0 Call Trace: <TASK> ext4_mballoc_query_range+0x4b/0x210 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] ext4_getfsmap_datadev+0x713/0x890 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] ext4_getfsmap+0x2b7/0x330 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] ext4_ioc_getfsmap+0x153/0x2b0 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] __ext4_ioctl+0x2a7/0x17e0 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] __x64_sys_ioctl+0x82/0xa0 do_syscall_64+0x2b/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fdf20558aff RSP: 002b:00007ffd318a9e30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000000200c0 RCX: 00007fdf20558aff RDX: 00007fdf1feb2010 RSI: 00000000c0c0583b RDI: 0000000000000003 RBP: 00005625c0634be0 R08: 00005625c0634c40 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdf1feb2010 R13: 00005625be70d994 R14: 0000000000000800 R15: 0000000000000000 For GETFSMAP calls, the caller selects a physical block device by writing its block number into fsmap_head.fmh_keys[01].fmr_device. To query mappings for a subrange of the device, the starting byte of the range is written to fsmap_head.fmh_keys[0].fmr_physical and the last byte of the range goes in fsmap_head.fmh_keys[1].fmr_physical. IOWs, to query what mappings overlap with bytes 3-14 of /dev/sda, you'd set the inputs as follows: fmh_keys[0] = { .fmr_device = major(8, 0), .fmr_physical = 3}, fmh_keys[1] = { .fmr_device = major(8, 0), .fmr_physical = 14}, Which would return you whatever is mapped in the 12 bytes starting at physical offset 3. The crash is due to insufficient range validation of keys[1] in ext4_getfsmap_datadev. On 1k-block filesystems, block 0 is not part of the filesystem, which means that s_first_data_block is nonzero. ext4_get_group_no_and_offset subtracts this quantity from the blocknr argument before cracking it into a group number and a block number within a group. IOWs, block group 0 spans blocks 1-8192 (1-based) instead of 0-8191 (0-based) like what happens with larger blocksizes. The net result of this encoding is that blocknr < s_first_data_block is not a valid input to this function. The end_fsb variable is set from the keys that are copied from userspace, which means that in the above example, its value is zero. That leads to an underflow here: blocknr = blocknr - le32_to_cpu(es->s_first_data_block); The division then operates on -1: offset = do_div(blocknr, EXT4_BLOCKS_PER_GROUP(sb)) >> EXT4_SB(sb)->s_cluster_bits; Leaving an impossibly large group number (2^32-1) in blocknr. ext4_getfsmap_check_keys checked that keys[0 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2023-53143 is a vulnerability in the Linux kernel's ext4 filesystem implementation, specifically affecting ext4 filesystems formatted with a 1k block size. The flaw arises from an off-by-one error in the handling of the FS_IOC_GETFSMAP ioctl call, which is used to query filesystem block mappings. The vulnerability is triggered when a specially crafted fsmap_head structure is passed to the ioctl, with particular values in the fmh_keys array that specify a physical block device and a byte range. On 1k-block ext4 filesystems, the first data block is nonzero (block 0 is not part of the filesystem), which causes the kernel code to incorrectly calculate block group numbers and offsets. This leads to an underflow and an invalid large block group number, ultimately causing a kernel crash (kernel BUG) due to invalid memory access or an invalid opcode. The crash occurs in the ext4_mb_load_buddy_gfp function during block allocation metadata operations. The root cause is insufficient validation of the range specified in the ioctl call, allowing an attacker to supply out-of-range values that the kernel mishandles. This vulnerability can be triggered by any local user or process with access to the affected filesystem device node, as it requires issuing the ioctl with crafted parameters. The impact is a denial of service (DoS) via kernel panic and system crash. While no known exploits are reported in the wild yet, the vulnerability is publicly disclosed and patched in recent kernel versions. The affected versions include multiple commits identified by the same hash, indicating a range of kernel versions prior to the fix. The technical details show that the flaw is subtle and related to ext4's internal block group calculations on 1k-block filesystems, which are less common than the default 4k block size but still in use in some environments.
Potential Impact
For European organizations, this vulnerability poses a risk primarily as a local denial-of-service vector. Systems running Linux kernels with ext4 filesystems formatted with 1k block sizes can be crashed by local users or processes issuing the malformed FS_IOC_GETFSMAP ioctl call. This can disrupt critical services, cause unexpected downtime, and potentially lead to data loss if the crash occurs during sensitive operations. Although exploitation requires local access, in multi-tenant environments, shared hosting, or containerized infrastructures, an attacker with limited privileges could leverage this flaw to impact system availability. Given the widespread use of Linux in European enterprises, government agencies, and cloud providers, the vulnerability could affect servers, workstations, and embedded devices. However, the impact is limited to denial of service rather than privilege escalation or remote code execution. The lack of known exploits reduces immediate risk, but the public disclosure means attackers could develop exploits. Organizations relying on legacy or specialized ext4 filesystems with 1k block sizes should be particularly vigilant. The vulnerability may also affect embedded Linux devices used in industrial control systems or telecommunications infrastructure in Europe, where availability is critical.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix CVE-2023-53143 as soon as possible. Monitor vendor advisories and update kernels to versions that include the fix. 2. Identify and inventory systems using ext4 filesystems with 1k block sizes, as these are the only affected configurations. Consider migrating these filesystems to the more common 4k block size if feasible. 3. Restrict access to device nodes representing ext4 filesystems to trusted users only, minimizing the risk of unprivileged local users triggering the vulnerability. 4. Implement monitoring for kernel crashes and unusual ioctl calls related to FS_IOC_GETFSMAP to detect potential exploitation attempts. 5. In multi-tenant or containerized environments, enforce strict isolation and privilege separation to prevent compromised containers or users from accessing vulnerable ioctl interfaces. 6. For embedded or specialized devices, coordinate with hardware and software vendors to obtain patched firmware or kernel updates. 7. Regularly audit and harden local user permissions and system access controls to reduce the attack surface for local vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-02T15:51:43.564Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe7116
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 4:57:18 AM
Last updated: 8/13/2025, 6:04:03 AM
Views: 18
Related Threats
CVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighCVE-2025-50608: n/a
HighCVE-2025-55194: CWE-248: Uncaught Exception in Part-DB Part-DB-server
MediumCVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.