2348106 – (CVE-2022-49147) CVE-2022-49147 kernel: block: Fix the maximum minor value is blk_alloc_ext_minor()

Bug 2348106 (CVE-2022-49147) - CVE-2022-49147 kernel: block: Fix the maximum minor value is blk_alloc_ext_minor()

Summary: CVE-2022-49147 kernel: block: Fix the maximum minor value is blk_alloc_ext_mi...

Keywords:
Status:	NEW
Alias:	CVE-2022-49147
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-02-26 03:17 UTC by OSIDB Bzimport
Modified:	2025-02-27 08:59 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-02-26 03:17:49 UTC

In the Linux kernel, the following vulnerability has been resolved:

block: Fix the maximum minor value is blk_alloc_ext_minor()

ida_alloc_range(..., min, max, ...) returns values from min to max,
inclusive.

So, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor().

This is an issue because in device_add_disk(), this value is used in:
   ddev->devt = MKDEV(disk->major, disk->first_minor);
and NR_EXT_DEVT is '(1 << MINORBITS)'.

So, should 'disk->first_minor' be NR_EXT_DEVT, it would overflow.

Comment 1 Avinash Hanwate 2025-02-26 13:40:19 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022608-CVE-2022-49147-7f2f@gregkh/T

Comment 4 Avinash Hanwate 2025-02-26 18:09:42 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022608-CVE-2022-49147-7f2f@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.