cve/published/2022/CVE-2022-49674.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49674: dm raid: fix accesses beyond end of raid member array

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 dm raid: fix accesses beyond end of raid member array

 On dm-raid table load (using raid_ctr), dm-raid allocates an array
 rs->devs[rs->raid_disks] for the raid device members. rs->raid_disks
 is defined by the number of raid metadata and image tupples passed
 into the target's constructor.

 In the case of RAID layout changes being requested, that number can be
 different from the current number of members for existing raid sets as
 defined in their superblocks. Example RAID layout changes include:
 - raid1 legs being added/removed
 - raid4/5/6/10 number of stripes changed (stripe reshaping)
 - takeover to higher raid level (e.g. raid5 -> raid6)

 When accessing array members, rs->raid_disks must be used in control
 loops instead of the potentially larger value in rs->md.raid_disks.
 Otherwise it will cause memory access beyond the end of the rs->devs
 array.

 Fix this by changing code that is prone to out-of-bounds access.
 Also fix validate_raid_redundancy() to validate all devices that are
 added. Also, use braces to help clean up raid_iterate_devices().

 The out-of-bounds memory accesses was discovered using KASAN.

 This commit was verified to pass all LVM2 RAID tests (with KASAN
 enabled).

 The Linux kernel CVE team has assigned CVE-2022-49674 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.14.287 with commit 5e161a8826b63c0b8b43e4a7fad1f956780f42ab
 	Fixed in 4.19.251 with commit df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85
 	Fixed in 5.4.204 with commit 90de15357504c8097ab29769dc6852e16281e9e8
 	Fixed in 5.10.129 with commit 9bf2b0757b04c78dc5d6e3a198acca98457b32a1
 	Fixed in 5.15.53 with commit 6352b2f4d8e95ec0ae576d7705435d64cfa29503
 	Fixed in 5.18.10 with commit bcff98500ea3b4e7615ec31d2bdd326bc1ef5134
 	Fixed in 5.19 with commit 332bd0778775d0cf105c4b9e03e460b590749916

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49674
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/dm-raid.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5e161a8826b63c0b8b43e4a7fad1f956780f42ab
 	https://git.kernel.org/stable/c/df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85
 	https://git.kernel.org/stable/c/90de15357504c8097ab29769dc6852e16281e9e8
 	https://git.kernel.org/stable/c/9bf2b0757b04c78dc5d6e3a198acca98457b32a1
 	https://git.kernel.org/stable/c/6352b2f4d8e95ec0ae576d7705435d64cfa29503
 	https://git.kernel.org/stable/c/bcff98500ea3b4e7615ec31d2bdd326bc1ef5134
 	https://git.kernel.org/stable/c/332bd0778775d0cf105c4b9e03e460b590749916
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49674: dm raid: fix accesses beyond end of raid member array

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	dm raid: fix accesses beyond end of raid member array

	On dm-raid table load (using raid_ctr), dm-raid allocates an array
	rs->devs[rs->raid_disks] for the raid device members. rs->raid_disks
	is defined by the number of raid metadata and image tupples passed
	into the target's constructor.

	In the case of RAID layout changes being requested, that number can be
	different from the current number of members for existing raid sets as
	defined in their superblocks. Example RAID layout changes include:
	- raid1 legs being added/removed
	- raid4/5/6/10 number of stripes changed (stripe reshaping)
	- takeover to higher raid level (e.g. raid5 -> raid6)

	When accessing array members, rs->raid_disks must be used in control
	loops instead of the potentially larger value in rs->md.raid_disks.
	Otherwise it will cause memory access beyond the end of the rs->devs
	array.

	Fix this by changing code that is prone to out-of-bounds access.
	Also fix validate_raid_redundancy() to validate all devices that are
	added. Also, use braces to help clean up raid_iterate_devices().

	The out-of-bounds memory accesses was discovered using KASAN.

	This commit was verified to pass all LVM2 RAID tests (with KASAN
	enabled).

	The Linux kernel CVE team has assigned CVE-2022-49674 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.14.287 with commit 5e161a8826b63c0b8b43e4a7fad1f956780f42ab
	Fixed in 4.19.251 with commit df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85
	Fixed in 5.4.204 with commit 90de15357504c8097ab29769dc6852e16281e9e8
	Fixed in 5.10.129 with commit 9bf2b0757b04c78dc5d6e3a198acca98457b32a1
	Fixed in 5.15.53 with commit 6352b2f4d8e95ec0ae576d7705435d64cfa29503
	Fixed in 5.18.10 with commit bcff98500ea3b4e7615ec31d2bdd326bc1ef5134
	Fixed in 5.19 with commit 332bd0778775d0cf105c4b9e03e460b590749916

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49674
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/dm-raid.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5e161a8826b63c0b8b43e4a7fad1f956780f42ab
	https://git.kernel.org/stable/c/df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85
	https://git.kernel.org/stable/c/90de15357504c8097ab29769dc6852e16281e9e8
	https://git.kernel.org/stable/c/9bf2b0757b04c78dc5d6e3a198acca98457b32a1
	https://git.kernel.org/stable/c/6352b2f4d8e95ec0ae576d7705435d64cfa29503
	https://git.kernel.org/stable/c/bcff98500ea3b4e7615ec31d2bdd326bc1ef5134
	https://git.kernel.org/stable/c/332bd0778775d0cf105c4b9e03e460b590749916