CVE-2026-53059

Summary

In the Linux kernel, the following vulnerability has been resolved:

dm log: fix out-of-bounds write due to region_count overflow

The local variable region_count in create_log_context() is declared as unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit). When a device-mapper target has a sufficiently large ti->len with a small region_size, the division result can exceed UINT_MAX. The truncated value is then used to calculate bitset_size, causing clean_bits, sync_bits, and recovering_bits to be allocated far smaller than needed for the actual number of regions.

Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use region indices derived from the full untruncated region space, causing out-of-bounds writes to kernel heap memory allocated by vmalloc.

This can be reproduced by creating a mirror target whose region_count overflows 32 bits:

dmsetup create bigzero –table '0 8589934594 zero' dmsetup create mymirror –table '0 8589934594 mirror
core 2 2 nosync 2 /dev/mapper/bigzero 0
/dev/mapper/bigzero 0'

The status output confirms the truncation (sync_count=1 instead of 4294967297, because 0x100000001 was truncated to 1):

$ dmsetup status mymirror 0 8589934594 mirror 2 254:1 254:1 1/4294967297 …

This leads to a kernel crash in core_in_sync:

BUG: scheduling while atomic: (udev-worker)/9150/0x00000000 RIP: 0010:core_in_sync+0x14/0x30 [dm_log] CR2: 0000000000000008 Fixing recursive fault but reboot is needed!

Fix by widening the local region_count to sector_t and adding an explicit overflow check before the value is assigned to lc->region_count.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 44ab8875ae4a2842bde2d756bed195d375e0debbaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < defe483e47173768c227532694dc78cb65db5f09affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3ec74da927b4e171a6fc0e77b1188ba4d019af51affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < d4ac87567f86a55c3c92e9a5144dcd943a9772a1affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 12bd5b88e91a02785244ff1d20fb157e96e9cdc8affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < b455903eed4558982be0811f5b7f44f6bbc4ff57affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4ec8323b9f0764a14d532b1ae9b87f8a9fecb867affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < c20e36b7631d83e7535877f08af8b0af72c44b1aaffected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.141 <= 6.6.*unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

ADP Enrichment

kernel: dm log: fix out-of-bounds write due to region_count overflow

Additional References

References