CVE-2022-49674

{"id": "CVE-2022-49674", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:42.320", "references": [{"url": "https://git.kernel.org/stable/c/332bd0778775d0cf105c4b9e03e460b590749916", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5e161a8826b63c0b8b43e4a7fad1f956780f42ab", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6352b2f4d8e95ec0ae576d7705435d64cfa29503", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/90de15357504c8097ab29769dc6852e16281e9e8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9bf2b0757b04c78dc5d6e3a198acca98457b32a1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bcff98500ea3b4e7615ec31d2bdd326bc1ef5134", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm raid: fix accesses beyond end of raid member array\n\nOn dm-raid table load (using raid_ctr), dm-raid allocates an array\nrs->devs[rs->raid_disks] for the raid device members. rs->raid_disks\nis defined by the number of raid metadata and image tupples passed\ninto the target's constructor.\n\nIn the case of RAID layout changes being requested, that number can be\ndifferent from the current number of members for existing raid sets as\ndefined in their superblocks. Example RAID layout changes include:\n- raid1 legs being added/removed\n- raid4/5/6/10 number of stripes changed (stripe reshaping)\n- takeover to higher raid level (e.g. raid5 -> raid6)\n\nWhen accessing array members, rs->raid_disks must be used in control\nloops instead of the potentially larger value in rs->md.raid_disks.\nOtherwise it will cause memory access beyond the end of the rs->devs\narray.\n\nFix this by changing code that is prone to out-of-bounds access.\nAlso fix validate_raid_redundancy() to validate all devices that are\nadded. Also, use braces to help clean up raid_iterate_devices().\n\nThe out-of-bounds memory accesses was discovered using KASAN.\n\nThis commit was verified to pass all LVM2 RAID tests (with KASAN\nenabled)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dm raid: se corrigen los accesos m\u00e1s all\u00e1 del final de la matriz de miembros raid Al cargar la tabla dm-raid (usando raid_ctr), dm-raid asigna una matriz rs->devs[rs->raid_disks] para los miembros del dispositivo raid. rs->raid_disks se define por la cantidad de metadatos raid y tuplas de im\u00e1genes pasadas al constructor del objetivo. En el caso de que se soliciten cambios en el dise\u00f1o RAID, ese n\u00famero puede ser diferente del n\u00famero actual de miembros para los conjuntos raid existentes seg\u00fan lo definido en sus superbloques. Los ejemplos de cambios en el dise\u00f1o RAID incluyen: - patas raid1 que se agregan/eliminan - n\u00famero de franjas raid4/5/6/10 cambiado (remodelaci\u00f3n de franjas) - toma de control a un nivel raid m\u00e1s alto (por ejemplo, raid5 -> raid6) Al acceder a los miembros de la matriz, se debe usar rs->raid_disks en bucles de control en lugar del valor potencialmente m\u00e1s grande en rs->md.raid_disks. De lo contrario, se producir\u00e1 un acceso a la memoria m\u00e1s all\u00e1 del final de la matriz rs->devs. Solucione esto modificando el c\u00f3digo que es propenso a accesos fuera de los l\u00edmites. Tambi\u00e9n corrija validation_raid_redundancy() para validar todos los dispositivos que se agregan. Adem\u00e1s, use llaves para ayudar a limpiar raid_iterate_devices(). Los accesos a la memoria fuera de los l\u00edmites se descubrieron utilizando KASAN. Se verific\u00f3 que esta confirmaci\u00f3n pasara todas las pruebas RAID LVM2 (con KASAN habilitado)."}], "lastModified": "2025-10-24T15:51:49.833", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CBFBBF7F-3A45-4578-828E-639EFFEA2165", "versionEndExcluding": "4.14.287"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83E1438F-F12B-4581-9EF4-B104DAEFFD41", "versionEndExcluding": "4.19.251", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73056417-5BD5-453F-8EEC-2D5C48185372", "versionEndExcluding": "5.4.204", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAAE3E52-3C60-40CA-A245-AE5660F45CD8", "versionEndExcluding": "5.10.129", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "70DCF327-F4B6-4CDB-8C9E-98E909E60127", "versionEndExcluding": "5.15.53", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8261A22B-B156-4045-AE8E-AA9E95E7930C", "versionEndExcluding": "5.18.10", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A8C30C2D-F82D-4D37-AB48-D76ABFBD5377"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF8547FC-C849-4F1B-804B-A93AE2F04A92"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3068028-F453-4A1C-B80F-3F5609ACEF60"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E9C0DB0-D349-489F-A3D6-B77214E93A8A"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}