In the Linux kernel, the following vulnerability has been resolved:
loop: Check for overflow while configuring loop
The userspace can configure a loop using an ioctl call, wherein a configuration of type loopconfig is passed (see loioctl()'s case on line 1550 of drivers/block/loop.c). This proceeds to call loopconfigure() which in turn calls loopsetstatusfrominfo() (see line 1050 of loop.c), passing &config->info which is of type loopinfo64*. This function then sets the appropriate values, like the offset.
loopdevice has looffset of type lofft (see line 52 of loop.c), which is typdef-chained to long long, whereas loopinfo64 has looffset of type _u64 (see line 56 of include/uapi/linux/loop.h).
The function directly copies offset from info to the device as follows (See line 980 of loop.c): lo->looffset = info->looffset;
This results in an overflow, which triggers a warning in iomapiter() due to a call to iomapiterdone() which has: WARNON_ONCE(iter->iomap.offset > iter->pos);
Thus, check for negative value during loopsetstatusfrominfo().
Bug report: https://syzkaller.appspot.com/bug?id=c620fe14aac810396d3c3edc9ad73848bf69a29e
[
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"184784177726623956289854849651315051145",
"151959349614821153742839376615820411875",
"45473753857056793693969532249254057096",
"204610668663883723007617031422568290802"
]
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9be7fa7ead18a48940df7b59d993bbc8b9055c15",
"id": "CVE-2022-49993-300ab8f9"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "35617409760620181533542257018536139954",
"length": 752.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "loop_set_status_from_info",
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9be7fa7ead18a48940df7b59d993bbc8b9055c15",
"id": "CVE-2022-49993-41fe521a"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"267213464472280535889818702114311526236",
"181691773975629597940389555194644811538",
"128965742363579183200524155860861062353",
"5917604115378752679332294317283110272"
]
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b40877b8562c5720d0a7fce20729f56b75a3dede",
"id": "CVE-2022-49993-4261eb39"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "207684588142357050006941403943004788106",
"length": 1108.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "loop_get_status",
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@18e28817cb516b39de6281f6db9b0618b2cc7b42",
"id": "CVE-2022-49993-4e2da7bb"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"184784177726623956289854849651315051145",
"151959349614821153742839376615820411875",
"45473753857056793693969532249254057096",
"204610668663883723007617031422568290802"
]
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c490a0b5a4f36da3918181a8acdc6991d967c5f3",
"id": "CVE-2022-49993-543f41d5"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"51883109091831615891040730668162655852",
"71521530632985926039541225415368841667",
"245634913798416749070612836189885860063",
"313342918887891615821433570097370796379"
]
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@18e28817cb516b39de6281f6db9b0618b2cc7b42",
"id": "CVE-2022-49993-6d28ad3f"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "35617409760620181533542257018536139954",
"length": 752.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "loop_set_status_from_info",
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c490a0b5a4f36da3918181a8acdc6991d967c5f3",
"id": "CVE-2022-49993-952213ef"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"267213464472280535889818702114311526236",
"181691773975629597940389555194644811538",
"128965742363579183200524155860861062353",
"5917604115378752679332294317283110272"
]
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a217715338fd48f72114725aa7a40e484a781ca7",
"id": "CVE-2022-49993-992c0a55"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "197553110738752826176234200699016395639",
"length": 1358.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "loop_set_status_from_info",
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6858933131d0dadac071c4d33335a9ea4b8e76cf",
"id": "CVE-2022-49993-a2d2bda3"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "197553110738752826176234200699016395639",
"length": 1358.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "loop_set_status_from_info",
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0455bef69028c65065f16bb04635591b2374249b",
"id": "CVE-2022-49993-a785a6cc"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"267213464472280535889818702114311526236",
"181691773975629597940389555194644811538",
"128965742363579183200524155860861062353",
"5917604115378752679332294317283110272"
]
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6858933131d0dadac071c4d33335a9ea4b8e76cf",
"id": "CVE-2022-49993-b868d2a5"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "207404130582571591687077890866798719315",
"length": 1456.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "loop_set_status_from_info",
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a217715338fd48f72114725aa7a40e484a781ca7",
"id": "CVE-2022-49993-ccfd1167"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"267213464472280535889818702114311526236",
"181691773975629597940389555194644811538",
"128965742363579183200524155860861062353",
"5917604115378752679332294317283110272"
]
},
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0455bef69028c65065f16bb04635591b2374249b",
"id": "CVE-2022-49993-d57ce459"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "207404130582571591687077890866798719315",
"length": 1456.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "loop_set_status_from_info",
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b40877b8562c5720d0a7fce20729f56b75a3dede",
"id": "CVE-2022-49993-dfe2e0b2"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "212782338148821611244565285274426932219",
"length": 1234.0
},
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "loop_get_status",
"file": "drivers/block/loop.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@adf0112d9b8acb03485624220b4934f69bf13369",
"id": "CVE-2022-49993-fbe05ff9"
}
]