CVE-2022-50621

The vulnerability resides in the Linux kernel's LoadPin security module when used with device-mapper verity (dm-verity) targets. LoadPin restricts the origin of kernel modules and other files to a trusted filesystem, while dm-verity provides integrity verification for block devices. The bug occurs because LoadPin would trust any dm-verity target, even those configured to ignore corrupted data blocks (i.e., without enforcement). This means an attacker could bypass integrity checks by using a verity target that does not enforce data integrity [1].

Exploitation requires the ability to set up a dm-verity target with the "ignore_corruption" option and have LoadPin rely on it. An attacker with sufficient privileges (root or CAP_SYS_ADMIN) to configure device-mapper targets could create a verity target that reports data as valid even when corrupted, thus bypassing LoadPin's integrity verification. The attack surface is local, requiring administrative access to manipulate device-mapper.

The impact is significant: an attacker could load untrusted kernel modules or execute files that should have been blocked by LoadPin, undermining the system's integrity guarantees. This could lead to arbitrary code execution in the kernel context, privilege escalation, or persistent compromise.

The fix, committed to the Linux kernel stable tree, ensures that LoadPin only trusts dm-verity targets configured with enforcement (e.g., returning errors, restarting, or panicking on corruption). Users should apply the kernel patch or update to a version containing the fix. No workaround is mentioned [1].