Bug 2347967 (CVE-2022-49674) - CVE-2022-49674 kernel: Linux kernel: Device Mapper RAID out-of-bounds access
Summary: CVE-2022-49674 kernel: Linux kernel: Device Mapper RAID out-of-bounds access
Keywords:
Status: NEW
Alias: CVE-2022-49674
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-26 03:12 UTC by OSIDB Bzimport
Modified: 2026-04-08 08:32 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:6953 0 None None None 2026-04-08 03:24:11 UTC
Red Hat Product Errata RHSA-2026:6961 0 None None None 2026-04-08 05:06:27 UTC
Red Hat Product Errata RHSA-2026:7003 0 None None None 2026-04-08 08:32:09 UTC

Description OSIDB Bzimport 2025-02-26 03:12:58 UTC 
In the Linux kernel, the following vulnerability has been resolved:

dm raid: fix accesses beyond end of raid member array

On dm-raid table load (using raid_ctr), dm-raid allocates an array
rs->devs[rs->raid_disks] for the raid device members. rs->raid_disks
is defined by the number of raid metadata and image tupples passed
into the target's constructor.

In the case of RAID layout changes being requested, that number can be
different from the current number of members for existing raid sets as
defined in their superblocks. Example RAID layout changes include:
- raid1 legs being added/removed
- raid4/5/6/10 number of stripes changed (stripe reshaping)
- takeover to higher raid level (e.g. raid5 -> raid6)

When accessing array members, rs->raid_disks must be used in control
loops instead of the potentially larger value in rs->md.raid_disks.
Otherwise it will cause memory access beyond the end of the rs->devs
array.

Fix this by changing code that is prone to out-of-bounds access.
Also fix validate_raid_redundancy() to validate all devices that are
added. Also, use braces to help clean up raid_iterate_devices().

The out-of-bounds memory accesses was discovered using KASAN.

This commit was verified to pass all LVM2 RAID tests (with KASAN
enabled).
Comment 1 Avinash Hanwate 2025-02-26 12:10:43 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022624-CVE-2022-49674-90d4@gregkh/T
Comment 4 Avinash Hanwate 2025-02-26 16:37:25 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022624-CVE-2022-49674-90d4@gregkh/T
Comment 7 errata-xmlrpc 2026-04-08 03:24:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:6953 https://access.redhat.com/errata/RHSA-2026:6953
Comment 8 errata-xmlrpc 2026-04-08 05:06:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:6961 https://access.redhat.com/errata/RHSA-2026:6961
Comment 9 errata-xmlrpc 2026-04-08 08:32:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:7003 https://access.redhat.com/errata/RHSA-2026:7003
Note You need to log in before you can comment on or make changes to this bug.