2347899 – (CVE-2022-49395) CVE-2022-49395 kernel: um: Fix out-of-bounds read in LDT setup

Bug 2347899 (CVE-2022-49395) - CVE-2022-49395 kernel: um: Fix out-of-bounds read in LDT setup

Summary: CVE-2022-49395 kernel: um: Fix out-of-bounds read in LDT setup

Keywords:
Status:	NEW
Alias:	CVE-2022-49395
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-02-26 03:10 UTC by OSIDB Bzimport
Modified:	2025-06-12 12:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2025:8906	None	None	None	2025-06-11 14:03:44 UTC
Red Hat Product Errata	RHBA-2025:8907	None	None	None	2025-06-11 14:10:18 UTC
Red Hat Product Errata	RHBA-2025:9014	None	None	None	2025-06-12 12:03:30 UTC
Red Hat Product Errata	RHBA-2025:9015	None	None	None	2025-06-12 12:38:11 UTC
Red Hat Product Errata	RHSA-2025:8743	None	None	None	2025-06-10 08:47:44 UTC
Red Hat Product Errata	RHSA-2025:8744	None	None	None	2025-06-10 08:27:33 UTC

Description OSIDB Bzimport 2025-02-26 03:10:38 UTC

In the Linux kernel, the following vulnerability has been resolved:

um: Fix out-of-bounds read in LDT setup

syscall_stub_data() expects the data_count parameter to be the number of
longs, not bytes.

 ==================================================================
 BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0
 Read of size 128 at addr 000000006411f6f0 by task swapper/1

 CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18
 Call Trace:
  show_stack.cold+0x166/0x2a7
  __dump_stack+0x3a/0x43
  dump_stack_lvl+0x1f/0x27
  print_report.cold+0xdb/0xf81
  kasan_report+0x119/0x1f0
  kasan_check_range+0x3a3/0x440
  memcpy+0x52/0x140
  syscall_stub_data+0x70/0xe0
  write_ldt_entry+0xac/0x190
  init_new_ldt+0x515/0x960
  init_new_context+0x2c4/0x4d0
  mm_init.constprop.0+0x5ed/0x760
  mm_alloc+0x118/0x170
  0x60033f48
  do_one_initcall+0x1d7/0x860
  0x60003e7b
  kernel_init+0x6e/0x3d4
  new_thread_handler+0x1e7/0x2c0

 The buggy address belongs to stack of task swapper/1
  and is located at offset 64 in frame:
  init_new_ldt+0x0/0x960

 This frame has 2 objects:
  [32, 40) 'addr'
  [64, 80) 'desc'
 ==================================================================

Comment 1 Avinash Hanwate 2025-02-26 18:54:12 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022650-CVE-2022-49395-7419@gregkh/T

Comment 6 errata-xmlrpc 2025-06-10 08:27:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8744 https://access.redhat.com/errata/RHSA-2025:8744

Comment 7 errata-xmlrpc 2025-06-10 08:47:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8743 https://access.redhat.com/errata/RHSA-2025:8743

Note You need to log in before you can comment on or make changes to this bug.