CVE-2022-49993

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> loop: Check for overflow while configuring loop<br /> <br /> The userspace can configure a loop using an ioctl call, wherein<br /> a configuration of type loop_config is passed (see lo_ioctl()&amp;#39;s<br /> case on line 1550 of drivers/block/loop.c). This proceeds to call<br /> loop_configure() which in turn calls loop_set_status_from_info()<br /> (see line 1050 of loop.c), passing &amp;config-&gt;info which is of type<br /> loop_info64*. This function then sets the appropriate values, like<br /> the offset.<br /> <br /> loop_device has lo_offset of type loff_t (see line 52 of loop.c),<br /> which is typdef-chained to long long, whereas loop_info64 has<br /> lo_offset of type __u64 (see line 56 of include/uapi/linux/loop.h).<br /> <br /> The function directly copies offset from info to the device as<br /> follows (See line 980 of loop.c):<br /> lo-&gt;lo_offset = info-&gt;lo_offset;<br /> <br /> This results in an overflow, which triggers a warning in iomap_iter()<br /> due to a call to iomap_iter_done() which has:<br /> WARN_ON_ONCE(iter-&gt;iomap.offset &gt; iter-&gt;pos);<br /> <br /> Thus, check for negative value during loop_set_status_from_info().<br /> <br /> Bug report: https://syzkaller.appspot.com/bug?id=c620fe14aac810396d3c3edc9ad73848bf69a29e