{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49674", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:21:30.438Z", "datePublished": "2025-02-26T02:24:06.636Z", "dateUpdated": "2025-05-04T08:43:03.651Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:43:03.651Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm raid: fix accesses beyond end of raid member array\n\nOn dm-raid table load (using raid_ctr), dm-raid allocates an array\nrs->devs[rs->raid_disks] for the raid device members. rs->raid_disks\nis defined by the number of raid metadata and image tupples passed\ninto the target's constructor.\n\nIn the case of RAID layout changes being requested, that number can be\ndifferent from the current number of members for existing raid sets as\ndefined in their superblocks. Example RAID layout changes include:\n- raid1 legs being added/removed\n- raid4/5/6/10 number of stripes changed (stripe reshaping)\n- takeover to higher raid level (e.g. raid5 -> raid6)\n\nWhen accessing array members, rs->raid_disks must be used in control\nloops instead of the potentially larger value in rs->md.raid_disks.\nOtherwise it will cause memory access beyond the end of the rs->devs\narray.\n\nFix this by changing code that is prone to out-of-bounds access.\nAlso fix validate_raid_redundancy() to validate all devices that are\nadded. Also, use braces to help clean up raid_iterate_devices().\n\nThe out-of-bounds memory accesses was discovered using KASAN.\n\nThis commit was verified to pass all LVM2 RAID tests (with KASAN\nenabled)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/md/dm-raid.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "5e161a8826b63c0b8b43e4a7fad1f956780f42ab", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "90de15357504c8097ab29769dc6852e16281e9e8", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "9bf2b0757b04c78dc5d6e3a198acca98457b32a1", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6352b2f4d8e95ec0ae576d7705435d64cfa29503", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "bcff98500ea3b4e7615ec31d2bdd326bc1ef5134", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "332bd0778775d0cf105c4b9e03e460b590749916", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/md/dm-raid.c"], "versions": [{"version": "4.14.287", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.251", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.204", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.129", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.53", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.10", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14.287"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.19.251"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.204"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.129"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.53"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5e161a8826b63c0b8b43e4a7fad1f956780f42ab"}, {"url": "https://git.kernel.org/stable/c/df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85"}, {"url": "https://git.kernel.org/stable/c/90de15357504c8097ab29769dc6852e16281e9e8"}, {"url": "https://git.kernel.org/stable/c/9bf2b0757b04c78dc5d6e3a198acca98457b32a1"}, {"url": "https://git.kernel.org/stable/c/6352b2f4d8e95ec0ae576d7705435d64cfa29503"}, {"url": "https://git.kernel.org/stable/c/bcff98500ea3b4e7615ec31d2bdd326bc1ef5134"}, {"url": "https://git.kernel.org/stable/c/332bd0778775d0cf105c4b9e03e460b590749916"}], "title": "dm raid: fix accesses beyond end of raid member array", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm raid: fix accesses beyond end of raid member array\n\nOn dm-raid table load (using raid_ctr), dm-raid allocates an array\nrs->devs[rs->raid_disks] for the raid device members. rs->raid_disks\nis defined by the number of raid metadata and image tupples passed\ninto the target's constructor.\n\nIn the case of RAID layout changes being requested, that number can be\ndifferent from the current number of members for existing raid sets as\ndefined in their superblocks. Example RAID layout changes include:\n- raid1 legs being added/removed\n- raid4/5/6/10 number of stripes changed (stripe reshaping)\n- takeover to higher raid level (e.g. raid5 -> raid6)\n\nWhen accessing array members, rs->raid_disks must be used in control\nloops instead of the potentially larger value in rs->md.raid_disks.\nOtherwise it will cause memory access beyond the end of the rs->devs\narray.\n\nFix this by changing code that is prone to out-of-bounds access.\nAlso fix validate_raid_redundancy() to validate all devices that are\nadded. Also, use braces to help clean up raid_iterate_devices().\n\nThe out-of-bounds memory accesses was discovered using KASAN.\n\nThis commit was verified to pass all LVM2 RAID tests (with KASAN\nenabled)."}], "id": "CVE-2022-49674", "lastModified": "2025-02-26T07:01:42.320", "metrics": {}, "published": "2025-02-26T07:01:42.320", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/332bd0778775d0cf105c4b9e03e460b590749916"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5e161a8826b63c0b8b43e4a7fad1f956780f42ab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6352b2f4d8e95ec0ae576d7705435d64cfa29503"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/90de15357504c8097ab29769dc6852e16281e9e8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9bf2b0757b04c78dc5d6e3a198acca98457b32a1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bcff98500ea3b4e7615ec31d2bdd326bc1ef5134"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: dm raid: fix accesses beyond end of raid member array", "id": "2347967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347967"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndm raid: fix accesses beyond end of raid member array\nOn dm-raid table load (using raid_ctr), dm-raid allocates an array\nrs->devs[rs->raid_disks] for the raid device members. rs->raid_disks\nis defined by the number of raid metadata and image tupples passed\ninto the target's constructor.\nIn the case of RAID layout changes being requested, that number can be\ndifferent from the current number of members for existing raid sets as\ndefined in their superblocks. Example RAID layout changes include:\n- raid1 legs being added/removed\n- raid4/5/6/10 number of stripes changed (stripe reshaping)\n- takeover to higher raid level (e.g. raid5 -> raid6)\nWhen accessing array members, rs->raid_disks must be used in control\nloops instead of the potentially larger value in rs->md.raid_disks.\nOtherwise it will cause memory access beyond the end of the rs->devs\narray.\nFix this by changing code that is prone to out-of-bounds access.\nAlso fix validate_raid_redundancy() to validate all devices that are\nadded. Also, use braces to help clean up raid_iterate_devices().\nThe out-of-bounds memory accesses was discovered using KASAN.\nThis commit was verified to pass all LVM2 RAID tests (with KASAN\nenabled)."], "name": "CVE-2022-49674", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49674\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49674\nhttps://lore.kernel.org/linux-cve-announce/2025022624-CVE-2022-49674-90d4@gregkh/T"], "threat_severity": "Moderate"}