CVE-2022-49674

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49674
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49674.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49674
Related
Published
2025-02-26T07:01:42Z
Modified
2025-02-26T19:03:48.892381Z
Downstream
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

dm raid: fix accesses beyond end of raid member array

On dm-raid table load (using raidctr), dm-raid allocates an array rs->devs[rs->raiddisks] for the raid device members. rs->raid_disks is defined by the number of raid metadata and image tupples passed into the target's constructor.

In the case of RAID layout changes being requested, that number can be different from the current number of members for existing raid sets as defined in their superblocks. Example RAID layout changes include: - raid1 legs being added/removed - raid4/5/6/10 number of stripes changed (stripe reshaping) - takeover to higher raid level (e.g. raid5 -> raid6)

When accessing array members, rs->raiddisks must be used in control loops instead of the potentially larger value in rs->md.raiddisks. Otherwise it will cause memory access beyond the end of the rs->devs array.

Fix this by changing code that is prone to out-of-bounds access. Also fix validateraidredundancy() to validate all devices that are added. Also, use braces to help clean up raiditeratedevices().

The out-of-bounds memory accesses was discovered using KASAN.

This commit was verified to pass all LVM2 RAID tests (with KASAN enabled).

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.136-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.14-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.14-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}