CVE-2023-54121
Unknown Unknown - Not Provided
Incorrect Extent Map Splitting in Linux btrfs Causes Data Corruption

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect splitting in btrfs_drop_extent_map_range In production we were seeing a variety of WARN_ON()'s in the extent_map code, specifically in btrfs_drop_extent_map_range() when we have to call add_extent_mapping() for our second split. Consider the following extent map layout PINNED [0 16K) [32K, 48K) and then we call btrfs_drop_extent_map_range for [0, 36K), with skip_pinned == true. The initial loop will have start = 0 end = 36K len = 36K we will find the [0, 16k) extent, but since we are pinned we will skip it, which has this code start = em_end; if (end != (u64)-1) len = start + len - em_end; em_end here is 16K, so now the values are start = 16K len = 16K + 36K - 16K = 36K len should instead be 20K. This is a problem when we find the next extent at [32K, 48K), we need to split this extent to leave [36K, 48k), however the code for the split looks like this split->start = start + len; split->len = em_end - (start + len); In this case we have em_end = 48K split->start = 16K + 36K // this should be 16K + 20K split->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K and now we have an invalid extent_map in the tree that potentially overlaps other entries in the extent map. Even in the non-overlapping case we will have split->start set improperly, which will cause problems with any block related calculations. We don't actually need len in this loop, we can simply use end as our end point, and only adjust start up when we find a pinned extent we need to skip. Adjust the logic to do this, which keeps us from inserting an invalid extent map. We only skip_pinned in the relocation case, so this is relatively rare, except in the case where you are running relocation a lot, which can happen with auto relocation on.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-25
EPSS Evaluated
2026-05-05
NVD
CVE-2023-54121
EUVD
EUVD-2023-60324
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by correcting the logic in the btrfs_drop_extent_map_range function in the Linux kernel. Immediate mitigation involves updating your Linux kernel to a version that includes this fix to prevent invalid extent maps and potential issues during relocation. Since the issue occurs mainly during relocation with skip_pinned enabled, avoiding or limiting relocation operations until the kernel is updated may reduce exposure.


Can you explain this vulnerability to me?

This vulnerability is a bug in the Linux kernel's btrfs filesystem code, specifically in the btrfs_drop_extent_map_range function. The issue arises when the function incorrectly calculates the length of an extent map range to drop, especially when skipping pinned extents during relocation. This miscalculation leads to creating invalid extent maps that can overlap or have incorrect start and length values, potentially causing problems in block-related calculations and filesystem integrity.


How can this vulnerability impact me? :

The vulnerability can cause invalid extent maps in the btrfs filesystem, which may lead to overlapping extent entries or incorrect block calculations. This can result in filesystem instability or errors, particularly during relocation operations where pinned extents are skipped. While this situation is relatively rare, it can affect systems that frequently perform auto relocation, potentially impacting data integrity or system reliability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart