Bug 2177862 (CVE-2022-2503) - CVE-2022-2503 kernel: LoadPin bypass via dm-verity table reload
Summary: CVE-2022-2503 kernel: LoadPin bypass via dm-verity table reload
Keywords:
Status: NEW
Alias: CVE-2022-2503
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat2177893 Red Hat2177894 Red Hat2177895 Red Hat2177896 Red Hat2177899 Red Hat2177900 Red Hat2183114 Red Hat2183115 Red Hat2183116 Red Hat2183117
Blocks: Embargoed2177863
TreeView+ depends on / blocked
 
Reported: 2023-03-13 17:50 UTC by Pedro Sampaio
Modified: 2023-05-12 20:15 UTC (History)
38 users (show)

Fixed In Version: Kernel 5.19 RC1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module and firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification until reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)

Description Pedro Sampaio 2023-03-13 17:50:17 UTC 
Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5

https://github.com/google/security-research/security/advisories/GHSA-6vq3-w69p-w63m
https://security.netapp.com/advisory/ntap-20230214-0005/
Note You need to log in before you can comment on or make changes to this bug.