cve/published/2022/CVE-2022-49044.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49044: dm integrity: fix memory corruption when tag_size is less than digest size

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 dm integrity: fix memory corruption when tag_size is less than digest size

 It is possible to set up dm-integrity in such a way that the
 "tag_size" parameter is less than the actual digest size. In this
 situation, a part of the digest beyond tag_size is ignored.

 In this case, dm-integrity would write beyond the end of the
 ic->recalc_tags array and corrupt memory. The corruption happened in
 integrity_recalc->integrity_sector_checksum->crypto_shash_final.

 Fix this corruption by increasing the tags array so that it has enough
 padding at the end to accomodate the loop in integrity_recalc() being
 able to write a full digest size for the last member of the tags
 array.

 The Linux kernel CVE team has assigned CVE-2022-49044 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 4.19.240 with commit 6a95d91c0b315c965198f6ab7dec7c94129e17e0
 	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 5.4.190 with commit 7f84c937222944c03f4615ca4742df6bed0e5adf
 	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 5.10.112 with commit cd02b2687d66f0a8e716384de4b9a0671331f1dc
 	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 5.15.35 with commit 6b4bf97587ef6c1927a78934b700204920655123
 	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 5.17.4 with commit 4d485cf9b609709e45d5113e6e2b1b01254b2fe9
 	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 5.18 with commit 08c1af8f1c13bbf210f1760132f4df24d0ed46d6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49044
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/dm-integrity.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6a95d91c0b315c965198f6ab7dec7c94129e17e0
 	https://git.kernel.org/stable/c/7f84c937222944c03f4615ca4742df6bed0e5adf
 	https://git.kernel.org/stable/c/cd02b2687d66f0a8e716384de4b9a0671331f1dc
 	https://git.kernel.org/stable/c/6b4bf97587ef6c1927a78934b700204920655123
 	https://git.kernel.org/stable/c/4d485cf9b609709e45d5113e6e2b1b01254b2fe9
 	https://git.kernel.org/stable/c/08c1af8f1c13bbf210f1760132f4df24d0ed46d6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49044: dm integrity: fix memory corruption when tag_size is less than digest size

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	dm integrity: fix memory corruption when tag_size is less than digest size

	It is possible to set up dm-integrity in such a way that the
	"tag_size" parameter is less than the actual digest size. In this
	situation, a part of the digest beyond tag_size is ignored.

	In this case, dm-integrity would write beyond the end of the
	ic->recalc_tags array and corrupt memory. The corruption happened in
	integrity_recalc->integrity_sector_checksum->crypto_shash_final.

	Fix this corruption by increasing the tags array so that it has enough
	padding at the end to accomodate the loop in integrity_recalc() being
	able to write a full digest size for the last member of the tags
	array.

	The Linux kernel CVE team has assigned CVE-2022-49044 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 4.19.240 with commit 6a95d91c0b315c965198f6ab7dec7c94129e17e0
	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 5.4.190 with commit 7f84c937222944c03f4615ca4742df6bed0e5adf
	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 5.10.112 with commit cd02b2687d66f0a8e716384de4b9a0671331f1dc
	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 5.15.35 with commit 6b4bf97587ef6c1927a78934b700204920655123
	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 5.17.4 with commit 4d485cf9b609709e45d5113e6e2b1b01254b2fe9
	Issue introduced in 4.12 with commit 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 and fixed in 5.18 with commit 08c1af8f1c13bbf210f1760132f4df24d0ed46d6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49044
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/dm-integrity.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6a95d91c0b315c965198f6ab7dec7c94129e17e0
	https://git.kernel.org/stable/c/7f84c937222944c03f4615ca4742df6bed0e5adf
	https://git.kernel.org/stable/c/cd02b2687d66f0a8e716384de4b9a0671331f1dc
	https://git.kernel.org/stable/c/6b4bf97587ef6c1927a78934b700204920655123
	https://git.kernel.org/stable/c/4d485cf9b609709e45d5113e6e2b1b01254b2fe9
	https://git.kernel.org/stable/c/08c1af8f1c13bbf210f1760132f4df24d0ed46d6