Bug 2347899 (CVE-2022-49395)

Summary: CVE-2022-49395 kernel: um: Fix out-of-bounds read in LDT setup
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's user mode (um) subsystem, specifically within the Local Descriptor Table (LDT) setup functionality. The issue arises from the syscall_stub_data() function misinterpreting the data_count parameter as a byte count rather than a count of longs, leading to an out-of-bounds read. This flaw could expose sensitive kernel memory and cause system instability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-02-26 03:10:38 UTC 
In the Linux kernel, the following vulnerability has been resolved:

um: Fix out-of-bounds read in LDT setup

syscall_stub_data() expects the data_count parameter to be the number of
longs, not bytes.

 ==================================================================
 BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0
 Read of size 128 at addr 000000006411f6f0 by task swapper/1

 CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18
 Call Trace:
  show_stack.cold+0x166/0x2a7
  __dump_stack+0x3a/0x43
  dump_stack_lvl+0x1f/0x27
  print_report.cold+0xdb/0xf81
  kasan_report+0x119/0x1f0
  kasan_check_range+0x3a3/0x440
  memcpy+0x52/0x140
  syscall_stub_data+0x70/0xe0
  write_ldt_entry+0xac/0x190
  init_new_ldt+0x515/0x960
  init_new_context+0x2c4/0x4d0
  mm_init.constprop.0+0x5ed/0x760
  mm_alloc+0x118/0x170
  0x60033f48
  do_one_initcall+0x1d7/0x860
  0x60003e7b
  kernel_init+0x6e/0x3d4
  new_thread_handler+0x1e7/0x2c0

 The buggy address belongs to stack of task swapper/1
  and is located at offset 64 in frame:
  init_new_ldt+0x0/0x960

 This frame has 2 objects:
  [32, 40) 'addr'
  [64, 80) 'desc'
 ==================================================================
Comment 1 Avinash Hanwate 2025-02-26 18:54:12 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022650-CVE-2022-49395-7419@gregkh/T
Comment 6 errata-xmlrpc 2025-06-10 08:27:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8744 https://access.redhat.com/errata/RHSA-2025:8744
Comment 7 errata-xmlrpc 2025-06-10 08:47:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8743 https://access.redhat.com/errata/RHSA-2025:8743
Comment 10 errata-xmlrpc 2025-07-02 04:37:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:10179 https://access.redhat.com/errata/RHSA-2025:10179
Comment 11 errata-xmlrpc 2025-07-02 13:25:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:10211 https://access.redhat.com/errata/RHSA-2025:10211
Comment 13 errata-xmlrpc 2025-07-07 19:09:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:10527 https://access.redhat.com/errata/RHSA-2025:10527
Comment 16 errata-xmlrpc 2025-07-14 00:18:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:10829 https://access.redhat.com/errata/RHSA-2025:10829
Comment 17 errata-xmlrpc 2025-07-14 00:22:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:10830 https://access.redhat.com/errata/RHSA-2025:10830
Comment 18 errata-xmlrpc 2025-07-14 00:22:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support EXTENSION

Via RHSA-2025:10828 https://access.redhat.com/errata/RHSA-2025:10828
Comment 19 errata-xmlrpc 2025-07-15 00:33:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:11045 https://access.redhat.com/errata/RHSA-2025:11045
Comment 20 errata-xmlrpc 2025-07-23 00:22:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:11570 https://access.redhat.com/errata/RHSA-2025:11570
Comment 22 errata-xmlrpc 2025-08-06 07:51:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:13135 https://access.redhat.com/errata/RHSA-2025:13135