CVE-2025-22124 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb
In clustermd, separate write-intent-bitmaps are used for each cluster node:
0 4k 8k 12k ------------------------------------------------------------------- | idle | md super | bm super [0] + bits |
| bm bits[0, contd] | bm super[1] + bits | bm bits[1, contd] |
| bm super[2] + bits | bm bits [2, contd] | bm super[3] + bits |
| bm bits [3, contd] | | |
So in node 1, pg_index in __write_sb_page() could equal to bitmap->storage.file_pages. Then bitmap_limit will be calculated to 0. md_super_write() will be called with 0 size. That means the first 4k sb area of node 1 will never be updated through filemap_write_page(). This bug causes hang of mdadm/clustermd_tests/01r1_Grow_resize.
Here use (pg_index % bitmap->storage.file_pages) to make calculation of bitmap_limit correct.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability described in CVE-2025-22124 affects the Linux kernel's md (multi-device) subsystem, specifically within the md-bitmap implementation used by clustermd for managing distributed storage arrays. This issue manifests as a critical flaw in how bitmap limits are calculated during superblock writing operations in clustered environments where separate write-intent bitmaps are maintained for each cluster node. The problem occurs in the __write_sb_page() function where the calculation of bitmap_limit becomes incorrect, leading to improper handling of storage superblock updates across cluster nodes.
The technical flaw stems from an incorrect modulo operation in the bitmap limit calculation logic. When processing write operations for clustermd storage superblocks, the system uses pg_index values that can equal bitmap->storage.file_pages, causing the bitmap_limit calculation to return zero. This zero value subsequently triggers md_super_write() with a size parameter of zero, effectively preventing updates to the first 4k of the superblock area for node 1. The root cause aligns with CWE-129, representing an improper output validation issue where the system fails to properly validate or calculate boundary conditions for memory operations. This particular implementation error demonstrates a classic off-by-one or boundary condition flaw in memory management calculations.
The operational impact of this vulnerability is severe, particularly in clustered storage environments where mdadm and clustermd are utilized for distributed storage management. The bug specifically causes hangs during mdadm/clustermd_tests/01r1_Grow_resize operations, indicating that storage array growth and resize functionality becomes completely non-functional in clustered configurations. This represents a critical failure in storage management capabilities that would affect enterprise storage systems relying on clustered mdadm implementations. The vulnerability essentially creates a deadlock condition where cluster nodes cannot properly update their storage superblocks, rendering the storage array management operations unusable. From an ATT&CK perspective, this vulnerability maps to T1490 (Inhibit System Recovery) as it prevents proper system recovery operations through storage management failures, and potentially T1566 (Phishing) if the storage failures lead to data corruption that might be exploited through false recovery attempts.
The fix implemented addresses this by modifying the calculation to use (pg_index % bitmap->storage.file_pages) instead of the previous incorrect approach. This ensures that the bitmap_limit calculation correctly accounts for the circular nature of the bitmap storage layout, where pages wrap around to the beginning of the storage space when the index exceeds the available file pages. The solution directly addresses the core mathematical error in boundary condition handling and restores proper superblock update functionality across all cluster nodes. This patch demonstrates proper defensive programming practices by ensuring that modulo operations are correctly applied to prevent zero-sized memory operations that could lead to system hangs or resource exhaustion. The fix maintains the intended architectural design of separate bitmaps per cluster node while correcting the fundamental calculation error that prevented proper storage superblock management in clustered environments.