Ming-Hung Tsai

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A vulnerability in the Linux kernel has been resolved, specifically in the dm array, where a faulty array block could be released twice in dm array cursor end. This occurs when dm bm read lock() fails due to locking or checksum errors, releasing the faulty block implicitly while leaving an invalid output pointer behind. The caller of dm bm read lock() should not operate on this invalid dm block pointer, or it will lead to undefined results. For example, the dm array cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm array cursor end(), then hitting the BUG ON in dm-bufio cache put(). The issue can be reproduced by initializing a cache device, wiping the second array block offline, and then trying to reopen the cache device. Kernel logs show errors such as device-mapper: array: array block check failed and kernel BUG at drivers/md/dm-bufio.c:638. The fix involves setting the cached block pointer to NULL on errors. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.74 or later. As a temporary workaround, consider disabling the `dm array cursor end()` function until a patch is available. Restrict access to the vulnerable `dm bm read lock()` function to minimize the risk of exploitation. Avoid using the `dm block` pointer in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to an out-of-bounds access to the dirty bitset when resizing in the dm-cache. This occurs because an index bug in bitset iteration causes the out-of-bounds access when shrinking the fast device. The problem can be reproduced by creating a cache device and then shrinking the fast device to a smaller size, triggering the out-of-bounds access. Technical details include the `cache preresume` function and the `cache ctr` function, which are involved in the bug. The `dmsetup` command is used to create and manage the cache device. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the `dm cache` component of the Linux kernel, specifically with the `flush work()` function. It may cause an unexpected `WARN ON` when cache creation fails due to the destruction of an uninitialized `delayed work` waker in the error path of `cache create()`. This can occur, for example, on a superblock checksum error. The problem is associated with the use of memory after it has been freed, which could potentially allow an attacker to cause a denial of service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a potential out-of-bounds access in the Linux kernel's dm-cache component. This occurs when the fast device is expanded unexpectedly before the first-time resume of the cache table, leading to inadequate in-core data structures. The problem arises because expanding the fast device requires reloading the cache table for cache create to allocate new in-core data structures that fit the new size, and the check in cache preresume is not performed during the first resume. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.