cve/published/2022/CVE-2022-49771.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49771: dm ioctl: fix misbehavior if list_versions races with module loading

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 dm ioctl: fix misbehavior if list_versions races with module loading

 __list_versions will first estimate the required space using the
 "dm_target_iterate(list_version_get_needed, &needed)" call and then will
 fill the space using the "dm_target_iterate(list_version_get_info,
 &iter_info)" call. Each of these calls locks the targets using the
 "down_read(&_lock)" and "up_read(&_lock)" calls, however between the first
 and second "dm_target_iterate" there is no lock held and the target
 modules can be loaded at this point, so the second "dm_target_iterate"
 call may need more space than what was the first "dm_target_iterate"
 returned.

 The code tries to handle this overflow (see the beginning of
 list_version_get_info), however this handling is incorrect.

 The code sets "param->data_size = param->data_start + needed" and
 "iter_info.end = (char *)vers+len" - "needed" is the size returned by the
 first dm_target_iterate call; "len" is the size of the buffer allocated by
 userspace.

 "len" may be greater than "needed"; in this case, the code will write up
 to "len" bytes into the buffer, however param->data_size is set to
 "needed", so it may write data past the param->data_size value. The ioctl
 interface copies only up to param->data_size into userspace, thus part of
 the result will be truncated.

 Fix this bug by setting "iter_info.end = (char *)vers + needed;" - this
 guarantees that the second "dm_target_iterate" call will write only up to
 the "needed" buffer and it will exit with "DM_BUFFER_FULL_FLAG" if it
 overflows the "needed" space - in this case, userspace will allocate a
 larger buffer and retry.

 Note that there is also a bug in list_version_get_needed - we need to add
 "strlen(tt->name) + 1" to the needed size, not "strlen(tt->name)".

 The Linux kernel CVE team has assigned CVE-2022-49771 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.9.334 with commit 0c8d4112df329bf3dfbf27693f918c3b08676538
 	Fixed in 4.14.300 with commit 6a818db0d5aecf80d4ba9e10ac153f60adc629ca
 	Fixed in 4.19.267 with commit 3a1c35d72dc0b34d1e746ed705790c0f630aa427
 	Fixed in 5.4.225 with commit b545c0e1e4094d4de2bdfe9a3823f9154b0c0005
 	Fixed in 5.10.156 with commit f59f5a269ca5e43c567aca7f1f52500a0186e9b7
 	Fixed in 5.15.80 with commit 6ffce7a92ef5c68f7e5d6f4d722c2f96280c064b
 	Fixed in 6.0.10 with commit 5398b8e275bf81a2517b327d216c0f37ac9ac5ae
 	Fixed in 6.1 with commit 4fe1ec995483737f3d2a14c3fe1d8fe634972979

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49771
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/dm-ioctl.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0c8d4112df329bf3dfbf27693f918c3b08676538
 	https://git.kernel.org/stable/c/6a818db0d5aecf80d4ba9e10ac153f60adc629ca
 	https://git.kernel.org/stable/c/3a1c35d72dc0b34d1e746ed705790c0f630aa427
 	https://git.kernel.org/stable/c/b545c0e1e4094d4de2bdfe9a3823f9154b0c0005
 	https://git.kernel.org/stable/c/f59f5a269ca5e43c567aca7f1f52500a0186e9b7
 	https://git.kernel.org/stable/c/6ffce7a92ef5c68f7e5d6f4d722c2f96280c064b
 	https://git.kernel.org/stable/c/5398b8e275bf81a2517b327d216c0f37ac9ac5ae
 	https://git.kernel.org/stable/c/4fe1ec995483737f3d2a14c3fe1d8fe634972979
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49771: dm ioctl: fix misbehavior if list_versions races with module loading

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	dm ioctl: fix misbehavior if list_versions races with module loading

	__list_versions will first estimate the required space using the
	"dm_target_iterate(list_version_get_needed, &needed)" call and then will
	fill the space using the "dm_target_iterate(list_version_get_info,
	&iter_info)" call. Each of these calls locks the targets using the
	"down_read(&_lock)" and "up_read(&_lock)" calls, however between the first
	and second "dm_target_iterate" there is no lock held and the target
	modules can be loaded at this point, so the second "dm_target_iterate"
	call may need more space than what was the first "dm_target_iterate"
	returned.

	The code tries to handle this overflow (see the beginning of
	list_version_get_info), however this handling is incorrect.

	The code sets "param->data_size = param->data_start + needed" and
	"iter_info.end = (char *)vers+len" - "needed" is the size returned by the
	first dm_target_iterate call; "len" is the size of the buffer allocated by
	userspace.

	"len" may be greater than "needed"; in this case, the code will write up
	to "len" bytes into the buffer, however param->data_size is set to
	"needed", so it may write data past the param->data_size value. The ioctl
	interface copies only up to param->data_size into userspace, thus part of
	the result will be truncated.

	Fix this bug by setting "iter_info.end = (char *)vers + needed;" - this
	guarantees that the second "dm_target_iterate" call will write only up to
	the "needed" buffer and it will exit with "DM_BUFFER_FULL_FLAG" if it
	overflows the "needed" space - in this case, userspace will allocate a
	larger buffer and retry.

	Note that there is also a bug in list_version_get_needed - we need to add
	"strlen(tt->name) + 1" to the needed size, not "strlen(tt->name)".

	The Linux kernel CVE team has assigned CVE-2022-49771 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.9.334 with commit 0c8d4112df329bf3dfbf27693f918c3b08676538
	Fixed in 4.14.300 with commit 6a818db0d5aecf80d4ba9e10ac153f60adc629ca
	Fixed in 4.19.267 with commit 3a1c35d72dc0b34d1e746ed705790c0f630aa427
	Fixed in 5.4.225 with commit b545c0e1e4094d4de2bdfe9a3823f9154b0c0005
	Fixed in 5.10.156 with commit f59f5a269ca5e43c567aca7f1f52500a0186e9b7
	Fixed in 5.15.80 with commit 6ffce7a92ef5c68f7e5d6f4d722c2f96280c064b
	Fixed in 6.0.10 with commit 5398b8e275bf81a2517b327d216c0f37ac9ac5ae
	Fixed in 6.1 with commit 4fe1ec995483737f3d2a14c3fe1d8fe634972979

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49771
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/dm-ioctl.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0c8d4112df329bf3dfbf27693f918c3b08676538
	https://git.kernel.org/stable/c/6a818db0d5aecf80d4ba9e10ac153f60adc629ca
	https://git.kernel.org/stable/c/3a1c35d72dc0b34d1e746ed705790c0f630aa427
	https://git.kernel.org/stable/c/b545c0e1e4094d4de2bdfe9a3823f9154b0c0005
	https://git.kernel.org/stable/c/f59f5a269ca5e43c567aca7f1f52500a0186e9b7
	https://git.kernel.org/stable/c/6ffce7a92ef5c68f7e5d6f4d722c2f96280c064b
	https://git.kernel.org/stable/c/5398b8e275bf81a2517b327d216c0f37ac9ac5ae
	https://git.kernel.org/stable/c/4fe1ec995483737f3d2a14c3fe1d8fe634972979