CVE-2022-50506

Commit c347a787e34cb (drbd: set ->bibdev in drbdreqnew) moved a biosetdev call (which has since been removed) to "earlier", from drbdrequestprepare to drbdreq_new.

The problem is that this accesses device->ldev->backing_bdev, which is not NULL-checked at this point. When we don't have an ldev (i.e. when the DRBD device is diskless), this leads to a null pointer deref.

So, only allocate the private_bio if we actually have a disk. This is also a small optimization, since we don't clone the bio to only to immediately free it again in the diskless case.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50506.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c347a787e34cba0e5a80a04082dacaf259105605

Fixed

05580a3bbf3cec677cb00a85dfeb21d6a9b48eaf

Fixed

6d42ddf7f27b6723549ee6d4c8b1b418b59bf6b5

Affected versions

v5.*

v5.17

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "drivers/block/drbd/drbd_req.c",
            "function": "drbd_req_new"
        },
        "id": "CVE-2022-50506-0960cd44",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@05580a3bbf3cec677cb00a85dfeb21d6a9b48eaf",
        "digest": {
            "function_hash": "28578817823263537681036978581430452915",
            "length": 1088.0
        }
    },
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "drivers/block/drbd/drbd_req.c"
        },
        "id": "CVE-2022-50506-12f001b1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@05580a3bbf3cec677cb00a85dfeb21d6a9b48eaf",
        "digest": {
            "line_hashes": [
                "273353339412522568083962768688647269470",
                "249396980206438467037159478815141866323",
                "182508982502361865668759978336064593482",
                "248619799282761034531349029641471393871",
                "328577400407483840828453406684938964584",
                "159116626837836184141967426603297158711",
                "73071378800687195253139654074533155265",
                "295488000377150139867037247962046220363",
                "80604130458035220378733228124494545249",
                "98380271705765823962244854761941948571",
                "194092820256586863600867331735484727604",
                "318069575134606330689076725027053071544",
                "243410062030605036258462765116737303717"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "drivers/block/drbd/drbd_req.c",
            "function": "drbd_request_prepare"
        },
        "id": "CVE-2022-50506-324a6237",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@05580a3bbf3cec677cb00a85dfeb21d6a9b48eaf",
        "digest": {
            "function_hash": "283779788592217632915357260091410405257",
            "length": 980.0
        }
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50506.json"