CVE-2022-50084

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50084
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50084.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50084
Related
Published
2025-06-18T11:15:37Z
Modified
2025-06-18T16:48:11.083548Z
Downstream
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

dm raid: fix address sanitizer warning in raid_status

There is this warning when using a kernel with the address sanitizer and running this testsuite: https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi_raid

================================================================== BUG: KASAN: slab-out-of-bounds in raidstatus+0x1747/0x2820 [dmraid] Read of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319 CPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3.<snip> #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: <TASK> dumpstacklvl+0x6a/0x9c printaddressdescription.constprop.0+0x1f/0x1e0 printreport.cold+0x55/0x244 kasanreport+0xc9/0x100 raidstatus+0x1747/0x2820 [dmraid] dmimameasureontableload+0x4b8/0xca0 [dmmod] tableload+0x35c/0x630 [dmmod] ctlioctl+0x411/0x630 [dmmod] dmctlioctl+0xa/0x10 [dmmod] _x64sysioctl+0x12a/0x1a0 dosyscall64+0x5b/0x80

The warning is caused by reading conf->maxnrstripes in raidstatus. The code in raidstatus reads mddev->private, casts it to struct r5conf and reads the entry maxnrstripes.

However, if we have different raid type than 4/5/6, mddev->private doesn't point to struct r5conf; it may point to struct r0conf, struct r1conf, struct r10conf or struct mpconf. If we cast a pointer to one of these structs to struct r5conf, we will be reading invalid memory and KASAN warns about it.

Fix this bug by reading struct r5conf only if raid type is 4, 5 or 6.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.140-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}