CVE-2023-53820
Description
In the Linux kernel, the following vulnerability has been resolved:
loop: loop_set_status_from_info() check before assignment
In loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should be checked before reassignment, because if an overflow error occurs, the original correct value will be changed to the wrong value, and it will not be changed back.
More, the original patch did not solve the problem, the value was set and ioctl returned an error, but the subsequent io used the value in the loop driver, which still caused an alarm:
loop_handle_cmd do_req_filebacked loff_t pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset; lo_rw_aio cmd->iocb.ki_pos = pos
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's loop driver, a missing validation before assignment of lo->lo_offset and lo->lo_sizelimit in loop_set_status_from_info() allows a corrupted state to persist after an overflow error.
Root
Cause
The vulnerability resides in the loop_set_status_from_info() function of the Linux kernel's loop block driver. The function updates lo->lo_offset and lo->lo_sizelimit without first validating the new values for potential overflow. If an overflow error occurs during the reassignment, the original correct values are overwritten with incorrect values and never restored [1][2][3][4].
Exploitation
Path
An attacker with the ability to issue LOOP_SET_STATUS ioctl calls on a loop device (typically requiring either local access or the ability to control a process that has the device open) can trigger this flaw. By providing crafted offset or sizelimit values that cause arithmetic overflow during assignment, the attacker corrupts the device's internal state. The corruption then persists across subsequent I/O operations because the driver does not revert the fields after detecting the error [1][2][3][4].
Impact
After the corrupted values are set, I/O operations on the loop device compute file positions using the invalid offset, as seen in loop_handle_cmd() -> do_req_filebacked() -> loff_t pos = ... + lo->lo_offset. This can lead to out-of-bounds reads or writes on the backing file, potentially causing data corruption, information disclosure, or system instability [1][2][3][4].
Mitigation
The fix ensures that the new values for lo->lo_offset and lo->lo_sizelimit are validated *before* any assignment occurs. If an overflow is detected, the function returns an error without altering the device's state. The patch has been merged into the stable kernel trees; users should apply the relevant updates (commit IDs 258809bf22bf, 6bdf4e6dfb60, 861021710bba, and 2ea7077748e5) [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
96bdf4e6dfb60832580af82ac2ea7077748e5861021710bbac79a924ed6af3e7d0968203d4be26d553a3f258809bf22bf9f6ad5d533d1Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/258809bf22bf71d53247856f374f2b1d055f2fd4nvd
- git.kernel.org/stable/c/2ea7077748e5d7cc64f1c31342c802fe66ea7426nvd
- git.kernel.org/stable/c/3e7d0968203d668af6036b9f9199c7b62c8a3581nvd
- git.kernel.org/stable/c/4be26d553a3f1d4f54f25353d1496c562002126dnvd
- git.kernel.org/stable/c/6bdf4e6dfb60cbb6121ccf027d97ed2ec97c0bcbnvd
- git.kernel.org/stable/c/832580af82ace363205039a8e7c4ef04552ccc1anvd
- git.kernel.org/stable/c/861021710bba9dfa0749a3c209a6c1773208b1f1nvd
- git.kernel.org/stable/c/9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfanvd
- git.kernel.org/stable/c/c79a924ed6afac1708dfd370ba66bcf6a852ced6nvd
News mentions
0No linked articles in our index yet.