CVE-2023-53513
Description
In the Linux kernel, the following vulnerability has been resolved: nbd: fix incomplete validation of ioctl arg We tested and found an alarm caused by nbd_ioctl arg without verification. The UBSAN warning calltrace like below: UBSAN: Undefined behaviour in fs/buffer.c:1709:35 signed integer overflow: -9223372036854775808 - 1 cannot be represented in type 'long long int' CPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78 show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x170/0x1dc lib/dump_stack.c:118 ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161 handle_overflow+0x188/0x1dc lib/ubsan.c:192 __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206 __block_write_full_page+0x94c/0xa20 fs/buffer.c:1709 block_write_full_page+0x1f0/0x280 fs/buffer.c:2934 blkdev_writepage+0x34/0x40 fs/block_dev.c:607 __writepage+0x68/0xe8 mm/page-writeback.c:2305 write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240 generic_writepages+0xdc/0x148 mm/page-writeback.c:2329 blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114 do_writepages+0xd4/0x250 mm/page-writeback.c:2344 The reason for triggering this warning is __block_write_full_page() -> i_size_read(inode) - 1 overflow. inode->i_size is assigned in __nbd_ioctl() -> nbd_set_size() -> bytesize. We think it is necessary to limit the size of arg to prevent errors. Moreover, __nbd_ioctl() -> nbd_add_socket(), arg will be cast to int. Assuming the value of arg is 0x80000000000000001) (on a 64-bit machine), it will become 1 after the coercion, which will return unexpected results. Fix it by adding checks to prevent passing in too large numbers.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2025-22387.html
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2025:22387
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2025-22388.html
Vendor advisory: alma — https://bugzilla.redhat.com/2402699
Vendor advisory: alma — https://bugzilla.redhat.com/2400795
Vendor advisory: alma — https://bugzilla.redhat.com/2400598
Vendor advisory: alma — https://bugzilla.redhat.com/2397553
Vendor advisory: alma — https://bugzilla.redhat.com/2395792
Vendor advisory: alma — https://bugzilla.redhat.com/2393172
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2025:22388
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2023-53513
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2023-53513.html
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:2394
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2025:22388
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2025:22387
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rocky | 8 | fixed | |
| rhel | 9 | fixed | |
| sles | affected | | |
| debian | bookworm | fixed | 6.1.37-1 |
| debian | bullseye | affected | |
| debian | forky | fixed | 6.3.7-1 |
| debian | sid | fixed | 6.3.7-1 |
| debian | trixie | fixed | 6.3.7-1 |
References
- https://errata.rockylinux.org/RLSA-2025:22387
- https://errata.rockylinux.org/RLSA-2025:22388
- https://access.redhat.com/errata/RHSA-2024:2394
- https://www.suse.com/security/cve/CVE-2023-53513.html
- https://security-tracker.debian.org/tracker/CVE-2023-53513
- https://access.redhat.com/errata/RHSA-2025:22388
- https://bugzilla.redhat.com/2393172
- https://bugzilla.redhat.com/2395792
- https://bugzilla.redhat.com/2397553
- https://bugzilla.redhat.com/2400598
- https://bugzilla.redhat.com/2400795
- https://bugzilla.redhat.com/2402699
- https://errata.almalinux.org/8/ALSA-2025-22388.html
- https://access.redhat.com/errata/RHSA-2025:22387
- https://errata.almalinux.org/8/ALSA-2025-22387.html
Verify integrity in audit chain (admin only). AS-IS.