{
  "threat_severity" : "Low",
  "public_date" : "2025-12-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow",
    "id" : "2425063",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425063"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: fix BUG in ext4_mb_new_inode_pa() due to overflow\nWhen we calculate the end position of ext4_free_extent, this position may\nbe exactly where ext4_lblk_t (i.e. uint) overflows. For example, if\nac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the\ncomputed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not\nthe first case of adjusting the best extent, that is, new_bex_end > 0, the\nfollowing BUG_ON will be triggered:\n=========================================================\nkernel BUG at fs/ext4/mballoc.c:5116!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279\nRIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430\nCall Trace:\n<TASK>\next4_mb_use_best_found+0x203/0x2f0\next4_mb_try_best_found+0x163/0x240\next4_mb_regular_allocator+0x158/0x1550\next4_mb_new_blocks+0x86a/0xe10\next4_ext_map_blocks+0xb0c/0x13a0\next4_map_blocks+0x2cd/0x8f0\next4_iomap_begin+0x27b/0x400\niomap_iter+0x222/0x3d0\n__iomap_dio_rw+0x243/0xcb0\niomap_dio_rw+0x16/0x80\n=========================================================\nA simple reproducer demonstrating the problem:\nmkfs.ext4 -F /dev/sda -b 4096 100M\nmount /dev/sda /tmp/test\nfallocate -l1M /tmp/test/tmp\nfallocate -l10M /tmp/test/file\nfallocate -i -o 1M -l16777203M /tmp/test/file\nfsstress -d /tmp/test -l 0 -n 100000 -p 8 &\nsleep 10 && killall -9 fsstress\nrm -f /tmp/test/tmp\nxfs_io -c \"open -ad /tmp/test/file\" -c \"pwrite -S 0xff 0 8192\"\nWe simply refactor the logic for adjusting the best extent by adding\na temporary ext4_free_extent ex and use extent_logical_end() to avoid\noverflow, which also simplifies the code.", "An integer overflow flaw was found in the Linux kernel's ext4 filesystem. In ext4_mb_new_inode_pa(), when calculating the end position of ext4_free_extent, the computation can overflow ext4_lblk_t (uint32) to zero. This occurs with large logical block numbers near UINT_MAX, causing a BUG_ON assertion failure and kernel crash during block allocation." ],
  "statement" : "This flaw can be triggered through specific file operations involving large sparse files with fallocate. The reproducer requires creating files with extents near the maximum logical block number boundary. While the crash is deterministic once triggered, it requires specific filesystem operations with very large files.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54069\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54069\nhttps://lore.kernel.org/linux-cve-announce/2025122431-CVE-2023-54069-1a17@gregkh/T" ],
  "name" : "CVE-2023-54069",
  "csaw" : false
}