CVE-2022-49674
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: dm raid: fix accesses beyond end of raid member array On dm-raid table load (using raid_ctr), dm-raid allocates an array rs->devs[rs->raid_disks] for the raid device members. rs->raid_disks is defined by the number of raid metadata and image tupples passed into the target's constructor. In the case of RAID layout changes being requested, that number can be different from the current number of members for existing raid sets as defined in their superblocks. Example RAID layout changes include: - raid1 legs being added/removed - raid4/5/6/10 number of stripes changed (stripe reshaping) - takeover to higher raid level (e.g. raid5 -> raid6) When accessing array members, rs->raid_disks must be used in control loops instead of the potentially larger value in rs->md.raid_disks. Otherwise it will cause memory access beyond the end of the rs->devs array. Fix this by changing code that is prone to out-of-bounds access. Also fix validate_raid_redundancy() to validate all devices that are added. Also, use braces to help clean up raid_iterate_devices(). The out-of-bounds memory accesses was discovered using KASAN. This commit was verified to pass all LVM2 RAID tests (with KASAN enabled).
Security Summary
CVE-2022-49674 is an out-of-bounds memory access vulnerability in the Linux kernel's device-mapper RAID (dm-raid) module. The issue occurs during dm-raid table loading via the raid_ctr function, where an array rs->devs[rs->raid_disks] is allocated based on RAID metadata and image tuples. In scenarios involving RAID layout changes—such as adding or removing RAID1 legs, reshaping stripes in RAID4/5/6/10, or taking over to a higher RAID level—the code may access the array using the potentially larger rs->md.raid_disks value instead of rs->raid_disks, leading to reads beyond the array's end. The vulnerability, classified as CWE-125 (Out-of-bounds Read), was detected using KASAN.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) in a local context (AV:L), achieving high-impact confidentiality loss (C:H) through information disclosure and high-impact availability disruption (A:H), such as system crashes, with no integrity impact (I:N). The CVSS v3.1 base score is 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). Exploitation requires access to a system using dm-raid for RAID management, particularly during operations that alter RAID layouts.
Mitigation involves applying kernel patches from stable branches, as detailed in the referenced commits: 332bd0778775d0cf105c4b9e03e460b590749916, 5e161a8826b63c0b8b43e4a7fad1f956780f42ab, 6352b2f4d8e95ec0ae576d7705435d64cfa29503, 90de15357504c8097ab29769dc6852e16281e9e8, and 9bf2b0757b04c78dc5d6e3a198acca98457b32a1. These patches correct array indexing in control loops, enhance validation in validate_raid_redundancy() for added devices, add braces for clarity in raid_iterate_devices(), and have been verified to pass LVM2 RAID tests with KASAN enabled.
Details
- CWE(s)