Bug 2348154 (CVE-2022-49122)

Summary: CVE-2022-49122 kernel: dm ioctl: prevent potential spectre v1 gadget
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's `dm-ioctl` interface in the `lookup_ioctl()` function, which accepts a user-provided `cmd` value that is used to index the `_ioctls` array directly. This issue could lead to an out-of-bounds access if the CPU speculatively executes the array access before `cmd` is confirmed as valid, allowing an attacker to exploit a Spectre v1 gadget attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-02-26 03:19:30 UTC 
In the Linux kernel, the following vulnerability has been resolved:

dm ioctl: prevent potential spectre v1 gadget

It appears like cmd could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents of kernel memory
from being leaked to userspace via speculative execution by using
array_index_nospec.
Comment 1 Avinash Hanwate 2025-02-26 13:53:50 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022604-CVE-2022-49122-b139@gregkh/T
Comment 4 Avinash Hanwate 2025-02-26 18:12:00 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022604-CVE-2022-49122-b139@gregkh/T
Comment 8 errata-xmlrpc 2025-07-01 00:38:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support

Via RHSA-2025:10005 https://access.redhat.com/errata/RHSA-2025:10005
Comment 9 errata-xmlrpc 2025-07-01 01:03:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:10009 https://access.redhat.com/errata/RHSA-2025:10009
Comment 10 errata-xmlrpc 2025-07-02 04:37:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:10179 https://access.redhat.com/errata/RHSA-2025:10179
Comment 11 errata-xmlrpc 2025-07-14 00:18:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:10829 https://access.redhat.com/errata/RHSA-2025:10829
Comment 12 errata-xmlrpc 2025-07-14 00:22:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:10830 https://access.redhat.com/errata/RHSA-2025:10830