CVE-2022-49674

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm raid: fix accesses beyond end of raid member array<br /> <br /> On dm-raid table load (using raid_ctr), dm-raid allocates an array<br /> rs-&gt;devs[rs-&gt;raid_disks] for the raid device members. rs-&gt;raid_disks<br /> is defined by the number of raid metadata and image tupples passed<br /> into the target&amp;#39;s constructor.<br /> <br /> In the case of RAID layout changes being requested, that number can be<br /> different from the current number of members for existing raid sets as<br /> defined in their superblocks. Example RAID layout changes include:<br /> - raid1 legs being added/removed<br /> - raid4/5/6/10 number of stripes changed (stripe reshaping)<br /> - takeover to higher raid level (e.g. raid5 -&gt; raid6)<br /> <br /> When accessing array members, rs-&gt;raid_disks must be used in control<br /> loops instead of the potentially larger value in rs-&gt;md.raid_disks.<br /> Otherwise it will cause memory access beyond the end of the rs-&gt;devs<br /> array.<br /> <br /> Fix this by changing code that is prone to out-of-bounds access.<br /> Also fix validate_raid_redundancy() to validate all devices that are<br /> added. Also, use braces to help clean up raid_iterate_devices().<br /> <br /> The out-of-bounds memory accesses was discovered using KASAN.<br /> <br /> This commit was verified to pass all LVM2 RAID tests (with KASAN<br /> enabled).