| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061801-CVE-2022-50092-dcb8@gregkh> Date: Wed, 18 Jun 2025 13:02:37 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50092: dm thin: fix use-after-free crash in dm_sm_register_threshold_callback From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: dm thin: fix use-after-free crash in dm_sm_register_threshold_callback Fault inject on pool metadata device reports: BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80 Read of size 8 at addr ffff8881b9d50068 by task dmsetup/950 CPU: 7 PID: 950 Comm: dmsetup Tainted: G W 5.19.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xeb/0x3f4 kasan_report.cold+0xe6/0x147 dm_pool_register_metadata_threshold+0x40/0x80 pool_ctr+0xa0a/0x1150 dm_table_add_target+0x2c8/0x640 table_load+0x1fd/0x430 ctl_ioctl+0x2c4/0x5a0 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb3/0xd0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This can be easily reproduced using: echo offline > /sys/block/sda/device/state dd if=/dev/zero of=/dev/mapper/thin bs=4k count=10 dmsetup load pool --table "0 20971520 thin-pool /dev/sda /dev/sdb 128 0 0" If a metadata commit fails, the transaction will be aborted and the metadata space maps will be destroyed. If a DM table reload then happens for this failed thin-pool, a use-after-free will occur in dm_sm_register_threshold_callback (called from dm_pool_register_metadata_threshold). Fix this by in dm_pool_register_metadata_threshold() by returning the -EINVAL error if the thin-pool is in fail mode. Also fail pool_ctr() with a new error message: "Error registering metadata threshold". The Linux kernel CVE team has assigned CVE-2022-50092 to this issue. Affected and fixed versions =========================== Issue introduced in 3.10 with commit ac8c3f3df65e487bbcabf274eeeb9cd222f5da1e and fixed in 5.4.211 with commit 05cef0999b3208b5a6ede1bfac855139e4de55ef Issue introduced in 3.10 with commit ac8c3f3df65e487bbcabf274eeeb9cd222f5da1e and fixed in 5.10.137 with commit 5e2cf705155a1514be3c96ea664a9cd356998ee7 Issue introduced in 3.10 with commit ac8c3f3df65e487bbcabf274eeeb9cd222f5da1e and fixed in 5.15.61 with commit f83131a3071a0b61a4d7dca70f95adb3ffad920e Issue introduced in 3.10 with commit ac8c3f3df65e487bbcabf274eeeb9cd222f5da1e and fixed in 5.18.18 with commit 1a199fa9217d28511ff88529238fd9980ea64cf3 Issue introduced in 3.10 with commit ac8c3f3df65e487bbcabf274eeeb9cd222f5da1e and fixed in 5.19.2 with commit e4dbe24f4bfd8377e7ba79fdcdb7c4d6eb1c6790 Issue introduced in 3.10 with commit ac8c3f3df65e487bbcabf274eeeb9cd222f5da1e and fixed in 6.0 with commit 3534e5a5ed2997ca1b00f44a0378a075bd05e8a3 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50092 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/md/dm-thin-metadata.c drivers/md/dm-thin.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/05cef0999b3208b5a6ede1bfac855139e4de55ef https://git.kernel.org/stable/c/5e2cf705155a1514be3c96ea664a9cd356998ee7 https://git.kernel.org/stable/c/f83131a3071a0b61a4d7dca70f95adb3ffad920e https://git.kernel.org/stable/c/1a199fa9217d28511ff88529238fd9980ea64cf3 https://git.kernel.org/stable/c/e4dbe24f4bfd8377e7ba79fdcdb7c4d6eb1c6790 https://git.kernel.org/stable/c/3534e5a5ed2997ca1b00f44a0378a075bd05e8a3
Powered by blists - more mailing lists