CVE-2022-49771

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A bug in the Linux kernel's dm ioctl has been resolved. The issue occurs when the list versions function estimates the required space using the dm target iterate(list version get needed, &needed) call and then fills the space using the dm target iterate(list version get info, &iter info) call. However, between these two calls, there is no lock held, and target modules can be loaded, potentially causing the second dm target iterate call to need more space than initially estimated. The code attempts to handle this overflow but does so incorrectly, potentially leading to data being written past the param->data size value. This can cause part of the result to be truncated when copied into userspace. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for this bug. Specifically, the fix involves setting iter info.end = (char *)vers + needed; to guarantee that the second dm target iterate call will write only up to the needed buffer and exit with DM BUFFER FULL FLAG if it overflows the needed space. As a temporary workaround, consider restricting access to the vulnerable dm ioctl interface until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.