|
 |
b97a6b |
From 84e2346b7ae9c50f95701027f8d860424623a294 Mon Sep 17 00:00:00 2001
|
|
|
b97a6b |
From: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
b97a6b |
Date: Fri, 14 Jan 2022 09:25:24 -0500
|
|
|
b97a6b |
Subject: [KPATCH CVE-2022-0185] vfs: kpatch fixes for CVE-2022-0185
|
|
|
b97a6b |
|
|
|
b97a6b |
Kernels:
|
|
|
b97a6b |
4.18.0-348.el8
|
|
|
b97a6b |
4.18.0-348.2.1.el8_5
|
|
|
b97a6b |
4.18.0-348.7.1.el8_5
|
|
|
b97a6b |
|
|
|
b97a6b |
Changes since last build:
|
|
|
b97a6b |
arches: x86_64 ppc64le
|
|
|
b97a6b |
fs_context.o: changed function: legacy_parse_param
|
|
|
b97a6b |
---------------------------
|
|
|
b97a6b |
|
|
|
b97a6b |
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/15
|
|
|
b97a6b |
Approved-by: Artem Savkov (@artem.savkov)
|
|
|
b97a6b |
Kernels:
|
|
|
b97a6b |
4.18.0-348.el8
|
|
|
b97a6b |
4.18.0-348.2.1.el8_5
|
|
|
b97a6b |
4.18.0-348.7.1.el8_5
|
|
|
b97a6b |
|
|
|
b97a6b |
Modifications: none
|
|
|
b97a6b |
|
|
|
b97a6b |
commit 689263a917cde581464bdc69777dd0f3d9e808af
|
|
|
b97a6b |
Author: Frantisek Hrbata <fhrbata@redhat.com>
|
|
|
b97a6b |
Date: Fri Jan 14 10:30:05 2022 +0100
|
|
|
b97a6b |
|
|
|
b97a6b |
vfs: Out-of-bounds write of heap buffer in fs_context.c
|
|
|
b97a6b |
|
|
|
b97a6b |
Bugzilla: https://bugzilla.redhat.com/2040585
|
|
|
b97a6b |
CVE: CVE-2022-0185
|
|
|
b97a6b |
|
|
|
b97a6b |
From Jamie Hill-Daniel <jamie@hill-daniel.co.uk>
|
|
|
b97a6b |
|
|
|
b97a6b |
The "PAGE_SIZE - 2 - size" calculation is is an unsigned type so
|
|
|
b97a6b |
a large value of "size" results in a high positive value. This
|
|
|
b97a6b |
results in heap overflow which can be exploited by a standard
|
|
|
b97a6b |
user for privilege escalation.
|
|
|
b97a6b |
|
|
|
b97a6b |
Signed-off-by: Frantisek Hrbata <fhrbata@redhat.com>
|
|
|
b97a6b |
|
|
|
b97a6b |
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
b97a6b |
---
|
|
|
b97a6b |
fs/fs_context.c | 6 ++++--
|
|
|
b97a6b |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
b97a6b |
|
|
|
b97a6b |
diff --git a/fs/fs_context.c b/fs/fs_context.c
|
|
|
b97a6b |
index b1eacb03b72f..c921102b2398 100644
|
|
|
b97a6b |
--- a/fs/fs_context.c
|
|
|
b97a6b |
+++ b/fs/fs_context.c
|
|
|
b97a6b |
@@ -563,8 +563,10 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)
|
|
|
b97a6b |
return invalf(fc, "VFS: Legacy: Parameter type for '%s' not supported",
|
|
|
b97a6b |
param->key);
|
|
|
b97a6b |
}
|
|
|
b97a6b |
-
|
|
|
b97a6b |
- if (len > PAGE_SIZE - 2 - size)
|
|
|
b97a6b |
+ /* Subtracting 'size' from PAGE_SIZE can lead to integer underflow,
|
|
|
b97a6b |
+ * so check bounds using addition instead.
|
|
|
b97a6b |
+ */
|
|
|
b97a6b |
+ if (size + len + 2 > PAGE_SIZE)
|
|
|
b97a6b |
return invalf(fc, "VFS: Legacy: Cumulative options too large");
|
|
|
b97a6b |
if (strchr(param->key, ',') ||
|
|
|
b97a6b |
(param->type == fs_value_is_string &&
|
|
|
b97a6b |
--
|
|
|
b97a6b |
2.26.3
|
|
|
b97a6b |
|
|
|
b97a6b |
|