CVE-2022-49771 Information

May 02, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

dm ioctl: fix misbehavior if list_versions races with module loading

__list_versions will first estimate the required space using the \dm_target_iterate(list_version_get_needed &needed)\ call and then will fill the space using the \dm_target_iterate(list_version_get_info &iter_info)\ call. Each of these calls locks the targets using the \down_read(&_lock)\ and �p_read(&_lock)\ calls however between the first and second \dm_target_iterate\ there is no lock held and the target modules can be loaded at this point so the second \dm_target_iterate\ncall may need more space than what was the first \dm_target_iterate\nreturned.

The code tries to handle this overflow (see the beginning of list_version_get_info) however this handling is incorrect.

The code sets \param->data_size = param->data_start + needed\ and \iter_info.end = (char )vers+len\ - eeded\ is the size returned by the first dm_target_iterate call; \len\ is the size of the buffer allocated by userspace.

\len\ may be greater than eeded; in this case the code will write up to \len\ bytes into the buffer however param->data_size is set to

eeded\ so it may write data past the param->data_size value. The ioctl interface copies only up to param->data_size into userspace thus part of the result will be truncated.

Fix this bug by setting \iter_info.end = (char )vers + needed;\ - this guarantees that the second \dm_target_iterate\ call will write only up to the eeded\ buffer and it will exit with \DM_BUFFER_FULL_FLAG\ if it overflows the eeded\ space - in this case userspace will allocate a larger buffer and retry.

Note that there is also a bug in list_version_get_needed - we need to add \strlen(tt->name) + 1\ to the needed size not \strlen(tt->name).

Reference

Share on: