CVE-2022-50092

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm thin: fix use-after-free crash in dm_sm_register_threshold_callback<br /> <br /> Fault inject on pool metadata device reports:<br /> BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80<br /> Read of size 8 at addr ffff8881b9d50068 by task dmsetup/950<br /> <br /> CPU: 7 PID: 950 Comm: dmsetup Tainted: G W 5.19.0-rc6 #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x44<br /> print_address_description.constprop.0.cold+0xeb/0x3f4<br /> kasan_report.cold+0xe6/0x147<br /> dm_pool_register_metadata_threshold+0x40/0x80<br /> pool_ctr+0xa0a/0x1150<br /> dm_table_add_target+0x2c8/0x640<br /> table_load+0x1fd/0x430<br /> ctl_ioctl+0x2c4/0x5a0<br /> dm_ctl_ioctl+0xa/0x10<br /> __x64_sys_ioctl+0xb3/0xd0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> This can be easily reproduced using:<br /> echo offline &gt; /sys/block/sda/device/state<br /> dd if=/dev/zero of=/dev/mapper/thin bs=4k count=10<br /> dmsetup load pool --table "0 20971520 thin-pool /dev/sda /dev/sdb 128 0 0"<br /> <br /> If a metadata commit fails, the transaction will be aborted and the<br /> metadata space maps will be destroyed. If a DM table reload then<br /> happens for this failed thin-pool, a use-after-free will occur in<br /> dm_sm_register_threshold_callback (called from<br /> dm_pool_register_metadata_threshold).<br /> <br /> Fix this by in dm_pool_register_metadata_threshold() by returning the<br /> -EINVAL error if the thin-pool is in fail mode. Also fail pool_ctr()<br /> with a new error message: "Error registering metadata threshold".