CVE-2026-53059

In the Linux kernel, the following vulnerability has been resolved:

dm log: fix out-of-bounds write due to region count overflow

The local variable region count in create log context() is declared as unsigned int (32-bit), but dm sector div up() returns sector t (64-bit). When a device-mapper target has a sufficiently large ti->len with a small region size, the division result can exceed UINT MAX. The truncated value is then used to calculate bitset size, causing clean bits, sync bits, and recovering bits to be allocated far smaller than needed for the actual number of regions.

Subsequent log operations (log set bit, log clear bit, log test bit) use region indices derived from the full untruncated region space, causing out-of-bounds writes to kernel heap memory allocated by vmalloc.

This can be reproduced by creating a mirror target whose region count overflows 32 bits:

dmsetup create bigzero --table '0 8589934594 zero' dmsetup create mymirror --table '0 8589934594 mirror core 2 2 nosync 2 /dev/mapper/bigzero 0 /dev/mapper/bigzero 0'

The status output confirms the truncation (sync count=1 instead of 4294967297, because 0x100000001 was truncated to 1):

$ dmsetup status mymirror 0 8589934594 mirror 2 254:1 254:1 1/4294967297 ...

This leads to a kernel crash in core in sync:

BUG: scheduling while atomic: (udev-worker)/9150/0x00000000 RIP: 0010:core in sync+0x14/0x30 [dm log] CR2: 0000000000000008 Fixing recursive fault but reboot is needed!

Fix by widening the local region count to sector t and adding an explicit overflow check before the value is assigned to lc->region count.