In the Linux kernel, the following vulnerability has been resolved:
dm: fix a buffer overflow in ioctl processing
Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the function retrieve_status:
- The code in retrieve_status checks that the output string fits into
- Then, the code aligns the "outptr" variable to the next 8-byte
- The alignment doesn't check overflow, so outptr could point past the
- The "for" loop is iterated again, it executes:
- If "outptr" points past "outbuf + len", the arithmetics wraps around
- With "remaining" being high, the code writes more data past the end of
Luckily, this bug has no security implications because:
- Only root can issue device mapper ioctls
- The commonly used libraries that communicate with device mapper