CVE-2023-54069
Description
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
When we calculate the end position of ext4_free_extent, this position may be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not the first case of adjusting the best extent, that is, new_bex_end > 0, the following BUG_ON will be triggered:
========================================================= kernel BUG at fs/ext4/mballoc.c:5116! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279 RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430 Call Trace: <TASK> ext4_mb_use_best_found+0x203/0x2f0 ext4_mb_try_best_found+0x163/0x240 ext4_mb_regular_allocator+0x158/0x1550 ext4_mb_new_blocks+0x86a/0xe10 ext4_ext_map_blocks+0xb0c/0x13a0 ext4_map_blocks+0x2cd/0x8f0 ext4_iomap_begin+0x27b/0x400 iomap_iter+0x222/0x3d0 __iomap_dio_rw+0x243/0xcb0 iomap_dio_rw+0x16/0x80 =========================================================
A simple reproducer demonstrating the problem:
mkfs.ext4 -F /dev/sda -b 4096 100M mount /dev/sda /tmp/test fallocate -l1M /tmp/test/tmp fallocate -l10M /tmp/test/file fallocate -i -o 1M -l16777203M /tmp/test/file fsstress -d /tmp/test -l 0 -n 100000 -p 8 & sleep 10 && killall -9 fsstress rm -f /tmp/test/tmp xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192"
We simply refactor the logic for adjusting the best extent by adding a temporary ext4_free_extent ex and use extent_logical_end() to avoid overflow, which also simplifies the code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in ext4 extent length calculation leads to BUG_ON crash in ext4_mb_new_inode_pa().
In the Linux kernel's ext4 filesystem, an integer overflow vulnerability exists in the block allocator. When calculating the end position of an extent, the sum of ac_g_ex.fe_logical and ac_orig_goal_len can overflow an ext4_lblk_t (unsigned 32-bit), wrapping to zero. This results in a BUG_ON trigger in ext4_mb_new_inode_pa() [description].
To exploit this, an attacker needs local access and the ability to perform filesystem operations that invoke the problematic allocation path. The provided reproducer uses a combination of fallocate, fsstress, and xfs_io to create the overflow condition [description].
The impact is a denial of service via kernel panic, as the BUG_ON crashes the system. No memory corruption or privilege escalation is indicated.
The fix refactors the extent adjustment logic to use extent_logical_end(), which safely handles overflow. Patches have been applied to the Linux kernel stable branches [1][2]. Users should update to the latest kernel version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >= 6.5.0-rc1
Patches
683ecffd40c6558fe961c606cf2c3a3aa6f11fcefddf3a151b7e9ec38b6a0bc056e7163acVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/58fe961c606c446f5612f6897827b1cac42c2e89nvd
- git.kernel.org/stable/c/83ecffd40c65844a73c2e93d7c841455786605acnvd
- git.kernel.org/stable/c/b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90nvd
- git.kernel.org/stable/c/bc056e7163ac7db945366de219745cf94f32a3e6nvd
- git.kernel.org/stable/c/f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1nvd
- git.kernel.org/stable/c/fcefddf3a151b2c416b20120c06bb1ba9ad676fbnvd
News mentions
0No linked articles in our index yet.