Bug 2395291 (CVE-2023-53172) - CVE-2023-53172 kernel: fsverity: reject FS_IOC_ENABLE_VERITY on mode 3 fds
Summary: CVE-2023-53172 kernel: fsverity: reject FS_IOC_ENABLE_VERITY on mode 3 fds
Keywords:
Status: NEW
Alias: CVE-2023-53172
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-15 15:05 UTC by OSIDB Bzimport
Modified: 2025-09-16 12:49 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-15 15:05:44 UTC 
In the Linux kernel, the following vulnerability has been resolved:

fsverity: reject FS_IOC_ENABLE_VERITY on mode 3 fds

Commit 56124d6c87fd ("fsverity: support enabling with tree block size <
PAGE_SIZE") changed FS_IOC_ENABLE_VERITY to use __kernel_read() to read
the file's data, instead of direct pagecache accesses.

An unintended consequence of this is that the
'WARN_ON_ONCE(!(file->f_mode & FMODE_READ))' in __kernel_read() became
reachable by fuzz tests.  This happens if FS_IOC_ENABLE_VERITY is called
on a fd opened with access mode 3, which means "ioctl access only".

Arguably, FS_IOC_ENABLE_VERITY should work on ioctl-only fds.  But
ioctl-only fds are a weird Linux extension that is rarely used and that
few people even know about.  (The documentation for FS_IOC_ENABLE_VERITY
even specifically says it requires O_RDONLY.)  It's probably not
worthwhile to make the ioctl internally open a new fd just to handle
this case.  Thus, just reject the ioctl on such fds for now.
Comment 1 Keith Grant 2025-09-16 12:47:05 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091554-CVE-2023-53172-3f93@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.