CVE-2022-49771

MEDIUM EPSS 3.1%
Published May 1, 20251y ago · Modified Jun 17, 20262w ago
4.7 CVSS 3.1
Medium
Find Similar
Published May 1, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: dm ioctl: fix misbehavior if list_versions races with module loading __list_versions will first estimate the required space using the "dm_target_iterate(list_version_get_needed, &needed)" call and then will fill the space using the "dm_target_iterate(list_version_get_info, &iter_info)" call. Each of these calls locks the targets using the "down_read(&_lock)" and "up_read(&_lock)" calls, however between the first and second "dm_target_iterate" there is no lock held and the target modules can be loaded at this point, so the second "dm_target_iterate" call may need more space than what was the first "dm_target_iterate" returned. The code tries to handle this overflow (see the beginning of list_version_get_info), however this handling is incorrect. The code sets "param->data_size = param->data_start + needed" and "iter_info.end = (char *)vers+len" - "needed" is the size returned by the first dm_target_iterate call; "len" is the size of the buffer allocated by userspace. "len" may be greater than "needed"; in this case, the code will write up to "len" bytes into the buffer, however param->data_size is set to "needed", so it may write data past the param->data_size value. The ioctl interface copies only up to param->data_size into userspace, thus part of the result will be truncated. Fix this bug by setting "iter_info.end = (char *)vers + needed;" - this guarantees that the second "dm_target_iterate" call will write only up to the "needed" buffer and it will exit with "DM_BUFFER_FULL_FLAG" if it overflows the "needed" space - in this case, userspace will allocate a larger buffer and retry. Note that there is also a bug in list_version_get_needed - we need to add "strlen(tt->name) + 1" to the needed size, not "strlen(tt->name)".

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-362

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel* <4.9.334
linuxlinux_kernel*≥4.10  –  <4.14.300
linuxlinux_kernel*≥4.15  –  <4.19.267
linuxlinux_kernel*≥4.20  –  <5.4.225
linuxlinux_kernel*≥5.5  –  <5.10.156
linuxlinux_kernel*≥5.11  –  <5.15.80
linuxlinux_kernel*≥5.16  –  <6.0.10
linuxlinux_kernel6.1any
linuxlinux_kernel6.1any
linuxlinux_kernel6.1any
linuxlinux_kernel6.1any
linuxlinux_kernel6.1any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0c8d4112df329bf3dfbf27693f918c3b08676538
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3a1c35d72dc0b34d1e746ed705790c0f630aa427
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4fe1ec995483737f3d2a14c3fe1d8fe634972979
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5398b8e275bf81a2517b327d216c0f37ac9ac5ae
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6a818db0d5aecf80d4ba9e10ac153f60adc629ca
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6ffce7a92ef5c68f7e5d6f4d722c2f96280c064b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b545c0e1e4094d4de2bdfe9a3823f9154b0c0005
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f59f5a269ca5e43c567aca7f1f52500a0186e9b7
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0c8d4112df329bf3dfbf27693f918c3b08676538
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3a1c35d72dc0b34d1e746ed705790c0f630aa427
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4fe1ec995483737f3d2a14c3fe1d8fe634972979
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5398b8e275bf81a2517b327d216c0f37ac9ac5ae
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6a818db0d5aecf80d4ba9e10ac153f60adc629ca
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6ffce7a92ef5c68f7e5d6f4d722c2f96280c064b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b545c0e1e4094d4de2bdfe9a3823f9154b0c0005
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f59f5a269ca5e43c567aca7f1f52500a0186e9b7
    Patch