GHSA-c9hh-9962-q529unknown
In the Linux kernel, the following vulnerability has been resolved: dm: fix a buffer overflow in...
🔗 CVE IDs covered (1)
📋 Description
In the Linux kernel, the following vulnerability has been resolved:
dm: fix a buffer overflow in ioctl processing
Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the function retrieve_status:
- The code in retrieve_status checks that the output string fits into the output buffer and writes the output string there
- Then, the code aligns the "outptr" variable to the next 8-byte boundary: outptr = align_ptr(outptr);
- The alignment doesn't check overflow, so outptr could point past the buffer end
- The "for" loop is iterated again, it executes: remaining = len - (outptr - outbuf);
- If "outptr" points past "outbuf + len", the arithmetics wraps around and the variable "remaining" contains unusually high number
- With "remaining" being high, the code writes more data past the end of the buffer
Luckily, this bug has no security implications because:
- Only root can issue device mapper ioctls
- The commonly used libraries that communicate with device mapper (libdevmapper and devicemapper-rs) use buffer size that is aligned to 8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input buffer and the bug can't happen accidentally
🔗 References (10)
- https://nvd.nist.gov/vuln/detail/CVE-2026-46294
- https://git.kernel.org/stable/c/2fa49cc884f6496a915c35621ba4da35649bf159
- https://git.kernel.org/stable/c/448ee8fb79c26a26599ffa4b2adeb4322d3d3d8c
- https://git.kernel.org/stable/c/526ff9126a0ae087b65726e1faf31114c718020d
- https://git.kernel.org/stable/c/5af6a879e915ae7bcd83695c316ebb32e1c61bc2
- https://git.kernel.org/stable/c/8daa6c708ef524089ae43f2aed9190acb26d7df8
- https://git.kernel.org/stable/c/c8c5311237448f6ffeecc9aec2362e3692623668
- https://git.kernel.org/stable/c/d271631023cbe1cbe7c31a0275ab797883be6e0a
- https://git.kernel.org/stable/c/f0b0b09d9840838ae77ccdd6a62de0daef4e6e0a
- https://github.com/advisories/GHSA-c9hh-9962-q529