cve/published/2022/CVE-2022-49526.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49526: md/bitmap: don't set sb values if can't pass sanity check

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 md/bitmap: don't set sb values if can't pass sanity check

 If bitmap area contains invalid data, kernel will crash then mdadm
 triggers "Segmentation fault".
 This is cluster-md speical bug. In non-clustered env, mdadm will
 handle broken metadata case. In clustered array, only kernel space
 handles bitmap slot info. But even this bug only happened in clustered
 env, current sanity check is wrong, the code should be changed.

 How to trigger: (faulty injection)

 dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sda
 dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sdb
 mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb
 mdadm -Ss
 echo aaa > magic.txt
  == below modifying slot 2 bitmap data ==
 dd if=magic.txt of=/dev/sda seek=16384 bs=1 count=3 <== destroy magic
 dd if=/dev/zero of=/dev/sda seek=16436 bs=1 count=4 <== ZERO chunksize
 mdadm -A /dev/md0 /dev/sda /dev/sdb
  == kernel crashes. mdadm outputs "Segmentation fault" ==

 Reason of kernel crash:

 In md_bitmap_read_sb (called by md_bitmap_create), bad bitmap magic didn't
 block chunksize assignment, and zero value made DIV_ROUND_UP_SECTOR_T()
 trigger "divide error".

 Crash log:

 kernel: md: md0 stopped.
 kernel: md/raid1:md0: not clean -- starting background reconstruction
 kernel: md/raid1:md0: active with 2 out of 2 mirrors
 kernel: dlm: ... ...
 kernel: md-cluster: Joined cluster 44810aba-38bb-e6b8-daca-bc97a0b254aa slot 1
 kernel: md0: invalid bitmap file superblock: bad magic
 kernel: md_bitmap_copy_from_slot can't get bitmap from slot 2
 kernel: md-cluster: Could not gather bitmaps from slot 2
 kernel: divide error: 0000 [#1] SMP NOPTI
 kernel: CPU: 0 PID: 1603 Comm: mdadm Not tainted 5.14.6-1-default
 kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
 kernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]
 kernel: RSP: 0018:ffffc22ac0843ba0 EFLAGS: 00010246
 kernel: ... ...
 kernel: Call Trace:
 kernel:  ? dlm_lock_sync+0xd0/0xd0 [md_cluster 77fe..7a0]
 kernel:  md_bitmap_copy_from_slot+0x2c/0x290 [md_mod 24ea..d3a]
 kernel:  load_bitmaps+0xec/0x210 [md_cluster 77fe..7a0]
 kernel:  md_bitmap_load+0x81/0x1e0 [md_mod 24ea..d3a]
 kernel:  do_md_run+0x30/0x100 [md_mod 24ea..d3a]
 kernel:  md_ioctl+0x1290/0x15a0 [md_mod 24ea....d3a]
 kernel:  ? mddev_unlock+0xaa/0x130 [md_mod 24ea..d3a]
 kernel:  ? blkdev_ioctl+0xb1/0x2b0
 kernel:  block_ioctl+0x3b/0x40
 kernel:  __x64_sys_ioctl+0x7f/0xb0
 kernel:  do_syscall_64+0x59/0x80
 kernel:  ? exit_to_user_mode_prepare+0x1ab/0x230
 kernel:  ? syscall_exit_to_user_mode+0x18/0x40
 kernel:  ? do_syscall_64+0x69/0x80
 kernel:  entry_SYSCALL_64_after_hwframe+0x44/0xae
 kernel: RIP: 0033:0x7f4a15fa722b
 kernel: ... ...
 kernel: ---[ end trace 8afa7612f559c868 ]---
 kernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]

 The Linux kernel CVE team has assigned CVE-2022-49526 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.247 with commit 422e8f7ba1e08c8e0e88d375bcb550bc2bbfe96d
 	Fixed in 5.4.198 with commit 0959aa00f9765bd8c654b1365012e41b51c733cc
 	Fixed in 5.10.121 with commit e69e93120f6219b9cc4fba3b515b6ababd8548aa
 	Fixed in 5.15.46 with commit 27f672af28a8e9b783ff7f0eaf7ef2fbd5a2f4ba
 	Fixed in 5.17.14 with commit cf9392282a2cf5a8d83dd1c5aa1a097e12f172bc
 	Fixed in 5.18.3 with commit d8f1558e1daf54f53a90b4c5700ae3e3a4b13412
 	Fixed in 5.19 with commit e68cb83a57a458b01c9739e2ad9cb70b04d1e6d2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49526
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/md-bitmap.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/422e8f7ba1e08c8e0e88d375bcb550bc2bbfe96d
 	https://git.kernel.org/stable/c/0959aa00f9765bd8c654b1365012e41b51c733cc
 	https://git.kernel.org/stable/c/e69e93120f6219b9cc4fba3b515b6ababd8548aa
 	https://git.kernel.org/stable/c/27f672af28a8e9b783ff7f0eaf7ef2fbd5a2f4ba
 	https://git.kernel.org/stable/c/cf9392282a2cf5a8d83dd1c5aa1a097e12f172bc
 	https://git.kernel.org/stable/c/d8f1558e1daf54f53a90b4c5700ae3e3a4b13412
 	https://git.kernel.org/stable/c/e68cb83a57a458b01c9739e2ad9cb70b04d1e6d2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49526: md/bitmap: don't set sb values if can't pass sanity check

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	md/bitmap: don't set sb values if can't pass sanity check

	If bitmap area contains invalid data, kernel will crash then mdadm
	triggers "Segmentation fault".
	This is cluster-md speical bug. In non-clustered env, mdadm will
	handle broken metadata case. In clustered array, only kernel space
	handles bitmap slot info. But even this bug only happened in clustered
	env, current sanity check is wrong, the code should be changed.

	How to trigger: (faulty injection)

	dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sda
	dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sdb
	mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb
	mdadm -Ss
	echo aaa > magic.txt
	== below modifying slot 2 bitmap data ==
	dd if=magic.txt of=/dev/sda seek=16384 bs=1 count=3 <== destroy magic
	dd if=/dev/zero of=/dev/sda seek=16436 bs=1 count=4 <== ZERO chunksize
	mdadm -A /dev/md0 /dev/sda /dev/sdb
	== kernel crashes. mdadm outputs "Segmentation fault" ==

	Reason of kernel crash:

	In md_bitmap_read_sb (called by md_bitmap_create), bad bitmap magic didn't
	block chunksize assignment, and zero value made DIV_ROUND_UP_SECTOR_T()
	trigger "divide error".

	Crash log:

	kernel: md: md0 stopped.
	kernel: md/raid1:md0: not clean -- starting background reconstruction
	kernel: md/raid1:md0: active with 2 out of 2 mirrors
	kernel: dlm: ... ...
	kernel: md-cluster: Joined cluster 44810aba-38bb-e6b8-daca-bc97a0b254aa slot 1
	kernel: md0: invalid bitmap file superblock: bad magic
	kernel: md_bitmap_copy_from_slot can't get bitmap from slot 2
	kernel: md-cluster: Could not gather bitmaps from slot 2
	kernel: divide error: 0000 [#1] SMP NOPTI
	kernel: CPU: 0 PID: 1603 Comm: mdadm Not tainted 5.14.6-1-default
	kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
	kernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]
	kernel: RSP: 0018:ffffc22ac0843ba0 EFLAGS: 00010246
	kernel: ... ...
	kernel: Call Trace:
	kernel: ? dlm_lock_sync+0xd0/0xd0 [md_cluster 77fe..7a0]
	kernel: md_bitmap_copy_from_slot+0x2c/0x290 [md_mod 24ea..d3a]
	kernel: load_bitmaps+0xec/0x210 [md_cluster 77fe..7a0]
	kernel: md_bitmap_load+0x81/0x1e0 [md_mod 24ea..d3a]
	kernel: do_md_run+0x30/0x100 [md_mod 24ea..d3a]
	kernel: md_ioctl+0x1290/0x15a0 [md_mod 24ea....d3a]
	kernel: ? mddev_unlock+0xaa/0x130 [md_mod 24ea..d3a]
	kernel: ? blkdev_ioctl+0xb1/0x2b0
	kernel: block_ioctl+0x3b/0x40
	kernel: __x64_sys_ioctl+0x7f/0xb0
	kernel: do_syscall_64+0x59/0x80
	kernel: ? exit_to_user_mode_prepare+0x1ab/0x230
	kernel: ? syscall_exit_to_user_mode+0x18/0x40
	kernel: ? do_syscall_64+0x69/0x80
	kernel: entry_SYSCALL_64_after_hwframe+0x44/0xae
	kernel: RIP: 0033:0x7f4a15fa722b
	kernel: ... ...
	kernel: ---[ end trace 8afa7612f559c868 ]---
	kernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]

	The Linux kernel CVE team has assigned CVE-2022-49526 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.247 with commit 422e8f7ba1e08c8e0e88d375bcb550bc2bbfe96d
	Fixed in 5.4.198 with commit 0959aa00f9765bd8c654b1365012e41b51c733cc
	Fixed in 5.10.121 with commit e69e93120f6219b9cc4fba3b515b6ababd8548aa
	Fixed in 5.15.46 with commit 27f672af28a8e9b783ff7f0eaf7ef2fbd5a2f4ba
	Fixed in 5.17.14 with commit cf9392282a2cf5a8d83dd1c5aa1a097e12f172bc
	Fixed in 5.18.3 with commit d8f1558e1daf54f53a90b4c5700ae3e3a4b13412
	Fixed in 5.19 with commit e68cb83a57a458b01c9739e2ad9cb70b04d1e6d2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49526
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/md-bitmap.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/422e8f7ba1e08c8e0e88d375bcb550bc2bbfe96d
	https://git.kernel.org/stable/c/0959aa00f9765bd8c654b1365012e41b51c733cc
	https://git.kernel.org/stable/c/e69e93120f6219b9cc4fba3b515b6ababd8548aa
	https://git.kernel.org/stable/c/27f672af28a8e9b783ff7f0eaf7ef2fbd5a2f4ba
	https://git.kernel.org/stable/c/cf9392282a2cf5a8d83dd1c5aa1a097e12f172bc
	https://git.kernel.org/stable/c/d8f1558e1daf54f53a90b4c5700ae3e3a4b13412
	https://git.kernel.org/stable/c/e68cb83a57a458b01c9739e2ad9cb70b04d1e6d2