|
 |
970b9f |
From 84e2346b7ae9c50f95701027f8d860424623a294 Mon Sep 17 00:00:00 2001
|
|
|
970b9f |
From: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
970b9f |
Date: Fri, 14 Jan 2022 09:25:24 -0500
|
|
|
970b9f |
Subject: [KPATCH CVE-2022-0185] vfs: kpatch fixes for CVE-2022-0185
|
|
|
970b9f |
|
|
|
970b9f |
Kernels:
|
|
|
970b9f |
4.18.0-348.el8
|
|
|
970b9f |
4.18.0-348.2.1.el8_5
|
|
|
970b9f |
4.18.0-348.7.1.el8_5
|
|
|
970b9f |
|
|
|
970b9f |
Changes since last build:
|
|
|
970b9f |
arches: x86_64 ppc64le
|
|
|
970b9f |
fs_context.o: changed function: legacy_parse_param
|
|
|
970b9f |
---------------------------
|
|
|
970b9f |
|
|
|
970b9f |
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/15
|
|
|
970b9f |
Approved-by: Artem Savkov (@artem.savkov)
|
|
|
970b9f |
Kernels:
|
|
|
970b9f |
4.18.0-348.el8
|
|
|
970b9f |
4.18.0-348.2.1.el8_5
|
|
|
970b9f |
4.18.0-348.7.1.el8_5
|
|
|
970b9f |
|
|
|
970b9f |
Modifications: none
|
|
|
970b9f |
|
|
|
970b9f |
commit 689263a917cde581464bdc69777dd0f3d9e808af
|
|
|
970b9f |
Author: Frantisek Hrbata <fhrbata@redhat.com>
|
|
|
970b9f |
Date: Fri Jan 14 10:30:05 2022 +0100
|
|
|
970b9f |
|
|
|
970b9f |
vfs: Out-of-bounds write of heap buffer in fs_context.c
|
|
|
970b9f |
|
|
|
970b9f |
Bugzilla: https://bugzilla.redhat.com/2040585
|
|
|
970b9f |
CVE: CVE-2022-0185
|
|
|
970b9f |
|
|
|
970b9f |
From Jamie Hill-Daniel <jamie@hill-daniel.co.uk>
|
|
|
970b9f |
|
|
|
970b9f |
The "PAGE_SIZE - 2 - size" calculation is is an unsigned type so
|
|
|
970b9f |
a large value of "size" results in a high positive value. This
|
|
|
970b9f |
results in heap overflow which can be exploited by a standard
|
|
|
970b9f |
user for privilege escalation.
|
|
|
970b9f |
|
|
|
970b9f |
Signed-off-by: Frantisek Hrbata <fhrbata@redhat.com>
|
|
|
970b9f |
|
|
|
970b9f |
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
970b9f |
---
|
|
|
970b9f |
fs/fs_context.c | 6 ++++--
|
|
|
970b9f |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
970b9f |
|
|
|
970b9f |
diff --git a/fs/fs_context.c b/fs/fs_context.c
|
|
|
970b9f |
index b1eacb03b72f..c921102b2398 100644
|
|
|
970b9f |
--- a/fs/fs_context.c
|
|
|
970b9f |
+++ b/fs/fs_context.c
|
|
|
970b9f |
@@ -563,8 +563,10 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)
|
|
|
970b9f |
return invalf(fc, "VFS: Legacy: Parameter type for '%s' not supported",
|
|
|
970b9f |
param->key);
|
|
|
970b9f |
}
|
|
|
970b9f |
-
|
|
|
970b9f |
- if (len > PAGE_SIZE - 2 - size)
|
|
|
970b9f |
+ /* Subtracting 'size' from PAGE_SIZE can lead to integer underflow,
|
|
|
970b9f |
+ * so check bounds using addition instead.
|
|
|
970b9f |
+ */
|
|
|
970b9f |
+ if (size + len + 2 > PAGE_SIZE)
|
|
|
970b9f |
return invalf(fc, "VFS: Legacy: Cumulative options too large");
|
|
|
970b9f |
if (strchr(param->key, ',') ||
|
|
|
970b9f |
(param->type == fs_value_is_string &&
|
|
|
970b9f |
--
|
|
|
970b9f |
2.26.3
|
|
|
970b9f |
|
|
|
970b9f |
|