| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061858-CVE-2022-50084-6b7c@gregkh> Date: Wed, 18 Jun 2025 13:02:29 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50084: dm raid: fix address sanitizer warning in raid_status From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: dm raid: fix address sanitizer warning in raid_status There is this warning when using a kernel with the address sanitizer and running this testsuite: https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi_raid ================================================================== BUG: KASAN: slab-out-of-bounds in raid_status+0x1747/0x2820 [dm_raid] Read of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319 CPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3.<snip> #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6a/0x9c print_address_description.constprop.0+0x1f/0x1e0 print_report.cold+0x55/0x244 kasan_report+0xc9/0x100 raid_status+0x1747/0x2820 [dm_raid] dm_ima_measure_on_table_load+0x4b8/0xca0 [dm_mod] table_load+0x35c/0x630 [dm_mod] ctl_ioctl+0x411/0x630 [dm_mod] dm_ctl_ioctl+0xa/0x10 [dm_mod] __x64_sys_ioctl+0x12a/0x1a0 do_syscall_64+0x5b/0x80 The warning is caused by reading conf->max_nr_stripes in raid_status. The code in raid_status reads mddev->private, casts it to struct r5conf and reads the entry max_nr_stripes. However, if we have different raid type than 4/5/6, mddev->private doesn't point to struct r5conf; it may point to struct r0conf, struct r1conf, struct r10conf or struct mpconf. If we cast a pointer to one of these structs to struct r5conf, we will be reading invalid memory and KASAN warns about it. Fix this bug by reading struct r5conf only if raid type is 4, 5 or 6. The Linux kernel CVE team has assigned CVE-2022-50084 to this issue. Affected and fixed versions =========================== Fixed in 4.9.326 with commit 1ae0ebfb576b72c2ef400917a5484ebe7892d80b Fixed in 4.14.291 with commit 90b006da40dd42285b24dd3c940d2c32aca9a70b Fixed in 4.19.256 with commit b856ce5f4b55f752144baf17e9d5c415072652c5 Fixed in 5.4.211 with commit cb583ca6125ac64c98e9d65128e95ebb5be7d322 Fixed in 5.10.137 with commit 49dba30638e091120256a9e89125340795f034dc Fixed in 5.15.61 with commit 4c233811a49578634d10a5e70a9dfa569d451e94 Fixed in 5.18.18 with commit d8971b595d7adac3421c21f59918241f1574061e Fixed in 5.19.2 with commit b4c6c07c92b6cba2bf3cb2dfa722debeaf8a8abe Fixed in 6.0 with commit 1fbeea217d8f297fe0e0956a1516d14ba97d0396 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50084 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/md/dm-raid.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/1ae0ebfb576b72c2ef400917a5484ebe7892d80b https://git.kernel.org/stable/c/90b006da40dd42285b24dd3c940d2c32aca9a70b https://git.kernel.org/stable/c/b856ce5f4b55f752144baf17e9d5c415072652c5 https://git.kernel.org/stable/c/cb583ca6125ac64c98e9d65128e95ebb5be7d322 https://git.kernel.org/stable/c/49dba30638e091120256a9e89125340795f034dc https://git.kernel.org/stable/c/4c233811a49578634d10a5e70a9dfa569d451e94 https://git.kernel.org/stable/c/d8971b595d7adac3421c21f59918241f1574061e https://git.kernel.org/stable/c/b4c6c07c92b6cba2bf3cb2dfa722debeaf8a8abe https://git.kernel.org/stable/c/1fbeea217d8f297fe0e0956a1516d14ba97d0396
Powered by blists - more mailing lists