CVE-2022-49147 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
block: Fix the maximum minor value is blk_alloc_ext_minor()
ida_alloc_range(..., min, max, ...) returns values from min to max, inclusive.
So, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor().
This is an issue because in device_add_disk(), this value is used in: ddev->devt = MKDEV(disk->major, disk->first_minor); and NR_EXT_DEVT is '(1 << MINORBITS)'.
So, should 'disk->first_minor' be NR_EXT_DEVT, it would overflow.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/16/2025
The vulnerability identified as CVE-2022-49147 represents a critical integer overflow issue within the Linux kernel's block device subsystem that could potentially lead to system instability and security implications. This flaw exists in the blk_alloc_ext_minor() function which is responsible for allocating extended minor numbers for block devices. The issue stems from improper validation of the maximum minor value returned by the IDA (Integer Dynamic Allocator) subsystem when allocating device minor numbers. The function ida_alloc_range() is designed to return values within a specified range including both minimum and maximum bounds, but the kernel's implementation fails to account for the fact that NR_EXT_DEVT, which equals 2 raised to the power of MINORBITS, can be returned as a valid allocation result. This creates a scenario where the returned value could exceed the valid range for device minor numbers, leading to unexpected behavior when the value is used in device creation operations.
The technical execution of this vulnerability occurs during the device_add_disk() function where the allocated minor number is directly incorporated into the device number using the MKDEV macro. When the first_minor field of a disk structure contains the value NR_EXT_DEVT, the resulting device number calculation causes an overflow that can corrupt kernel memory structures and potentially provide an attack surface for privilege escalation or denial of service conditions. The vulnerability specifically relates to the interaction between the IDA allocation mechanism and the kernel's device number management system, where the boundary conditions are not properly validated before being used in critical kernel operations. This type of overflow represents a classic case of improper input validation and boundary checking that can lead to unpredictable system behavior.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable sophisticated attack vectors. An attacker who can influence the allocation of extended minor numbers could theoretically trigger the overflow condition and exploit the resulting memory corruption to gain elevated privileges or cause system crashes. The vulnerability affects the core block device management functionality of the Linux kernel, meaning that any application or process that creates or manages block devices could potentially be exploited. This issue particularly impacts systems running kernel versions where the fix has not been applied, and could affect various device types including storage devices, loop devices, and other block-level storage abstractions. The vulnerability demonstrates a fundamental flaw in kernel memory management and device number handling that violates the principle of proper bounds checking.
Mitigation strategies for CVE-2022-49147 should focus on applying the official kernel patch that corrects the boundary validation in the blk_alloc_ext_minor() function and ensures that values exceeding the valid range for device minor numbers are properly rejected. System administrators should prioritize updating their kernel versions to include the fix, which typically involves modifying the validation logic to prevent NR_EXT_DEVT from being returned as a valid minor number allocation. Additionally, monitoring systems should be enhanced to detect unusual patterns in device allocation operations that might indicate exploitation attempts. The vulnerability aligns with CWE-191, Integer Underflow (Wrap or Wraparound), and can be mapped to ATT&CK technique T1068, Exploitation for Privilege Escalation, when exploited in the context of privilege escalation attacks. Organizations should also implement proper kernel hardening measures and maintain up-to-date security patches to prevent similar issues in other kernel subsystems. The fix essentially ensures that the kernel properly validates the returned minor number against the maximum allowable value before using it in device number calculations, thereby preventing the integer overflow condition that could lead to system compromise.