7.1

CVE-2022-50084

dm raid: fix address sanitizer warning in raid_status

In the Linux kernel, the following vulnerability has been resolved:

dm raid: fix address sanitizer warning in raid_status

There is this warning when using a kernel with the address sanitizer
and running this testsuite:
https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi_raid

==================================================================
BUG: KASAN: slab-out-of-bounds in raid_status+0x1747/0x2820 [dm_raid]
Read of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319
CPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3.<snip> #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Call Trace:
 <TASK>
 dump_stack_lvl+0x6a/0x9c
 print_address_description.constprop.0+0x1f/0x1e0
 print_report.cold+0x55/0x244
 kasan_report+0xc9/0x100
 raid_status+0x1747/0x2820 [dm_raid]
 dm_ima_measure_on_table_load+0x4b8/0xca0 [dm_mod]
 table_load+0x35c/0x630 [dm_mod]
 ctl_ioctl+0x411/0x630 [dm_mod]
 dm_ctl_ioctl+0xa/0x10 [dm_mod]
 __x64_sys_ioctl+0x12a/0x1a0
 do_syscall_64+0x5b/0x80

The warning is caused by reading conf->max_nr_stripes in raid_status. The
code in raid_status reads mddev->private, casts it to struct r5conf and
reads the entry max_nr_stripes.

However, if we have different raid type than 4/5/6, mddev->private
doesn't point to struct r5conf; it may point to struct r0conf, struct
r1conf, struct r10conf or struct mpconf. If we cast a pointer to one
of these structs to struct r5conf, we will be reading invalid memory
and KASAN warns about it.

Fix this bug by reading struct r5conf only if raid type is 4, 5 or 6.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version < 4.9.326
LinuxLinux Kernel Version >= 4.10 < 4.14.291
LinuxLinux Kernel Version >= 4.15 < 4.19.256
LinuxLinux Kernel Version >= 4.20 < 5.4.211
LinuxLinux Kernel Version >= 5.5 < 5.10.137
LinuxLinux Kernel Version >= 5.11 < 5.15.61
LinuxLinux Kernel Version >= 5.16 < 5.18.18
LinuxLinux Kernel Version >= 5.19 < 5.19.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.064
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/1ae0ebfb576b72c2ef400917a5484ebe7892d80b
Patch
https://git.kernel.org/stable/c/90b006da40dd42285b24dd3c940d2c32aca9a70b
Patch
https://git.kernel.org/stable/c/b856ce5f4b55f752144baf17e9d5c415072652c5
Patch
https://git.kernel.org/stable/c/cb583ca6125ac64c98e9d65128e95ebb5be7d322
Patch
https://git.kernel.org/stable/c/49dba30638e091120256a9e89125340795f034dc
Patch
https://git.kernel.org/stable/c/4c233811a49578634d10a5e70a9dfa569d451e94
Patch
https://git.kernel.org/stable/c/d8971b595d7adac3421c21f59918241f1574061e
Patch
https://git.kernel.org/stable/c/b4c6c07c92b6cba2bf3cb2dfa722debeaf8a8abe
Patch
https://git.kernel.org/stable/c/1fbeea217d8f297fe0e0956a1516d14ba97d0396
Patch