We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2022-50084

dm raid: fix address sanitizer warning in raid_status



Description

In the Linux kernel, the following vulnerability has been resolved: dm raid: fix address sanitizer warning in raid_status There is this warning when using a kernel with the address sanitizer and running this testsuite: https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi_raid ================================================================== BUG: KASAN: slab-out-of-bounds in raid_status+0x1747/0x2820 [dm_raid] Read of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319 CPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3.<snip> #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6a/0x9c print_address_description.constprop.0+0x1f/0x1e0 print_report.cold+0x55/0x244 kasan_report+0xc9/0x100 raid_status+0x1747/0x2820 [dm_raid] dm_ima_measure_on_table_load+0x4b8/0xca0 [dm_mod] table_load+0x35c/0x630 [dm_mod] ctl_ioctl+0x411/0x630 [dm_mod] dm_ctl_ioctl+0xa/0x10 [dm_mod] __x64_sys_ioctl+0x12a/0x1a0 do_syscall_64+0x5b/0x80 The warning is caused by reading conf->max_nr_stripes in raid_status. The code in raid_status reads mddev->private, casts it to struct r5conf and reads the entry max_nr_stripes. However, if we have different raid type than 4/5/6, mddev->private doesn't point to struct r5conf; it may point to struct r0conf, struct r1conf, struct r10conf or struct mpconf. If we cast a pointer to one of these structs to struct r5conf, we will be reading invalid memory and KASAN warns about it. Fix this bug by reading struct r5conf only if raid type is 4, 5 or 6.

Reserved 2025-06-18 | Published 2025-06-18 | Updated 2025-06-18 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 1ae0ebfb576b72c2ef400917a5484ebe7892d80b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 90b006da40dd42285b24dd3c940d2c32aca9a70b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before b856ce5f4b55f752144baf17e9d5c415072652c5
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before cb583ca6125ac64c98e9d65128e95ebb5be7d322
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 49dba30638e091120256a9e89125340795f034dc
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 4c233811a49578634d10a5e70a9dfa569d451e94
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before d8971b595d7adac3421c21f59918241f1574061e
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before b4c6c07c92b6cba2bf3cb2dfa722debeaf8a8abe
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 1fbeea217d8f297fe0e0956a1516d14ba97d0396
affected

Default status
affected

4.9.326
unaffected

4.14.291
unaffected

4.19.256
unaffected

5.4.211
unaffected

5.10.137
unaffected

5.15.61
unaffected

5.18.18
unaffected

5.19.2
unaffected

6.0
unaffected

References

git.kernel.org/...c/1ae0ebfb576b72c2ef400917a5484ebe7892d80b

git.kernel.org/...c/90b006da40dd42285b24dd3c940d2c32aca9a70b

git.kernel.org/...c/b856ce5f4b55f752144baf17e9d5c415072652c5

git.kernel.org/...c/cb583ca6125ac64c98e9d65128e95ebb5be7d322

git.kernel.org/...c/49dba30638e091120256a9e89125340795f034dc

git.kernel.org/...c/4c233811a49578634d10a5e70a9dfa569d451e94

git.kernel.org/...c/d8971b595d7adac3421c21f59918241f1574061e

git.kernel.org/...c/b4c6c07c92b6cba2bf3cb2dfa722debeaf8a8abe

git.kernel.org/...c/1fbeea217d8f297fe0e0956a1516d14ba97d0396

cve.org (CVE-2022-50084)

nvd.nist.gov (CVE-2022-50084)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2022-50084

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.