From 84e2346b7ae9c50f95701027f8d860424623a294 Mon Sep 17 00:00:00 2001 From: Joe Lawrence Date: Fri, 14 Jan 2022 09:25:24 -0500 Subject: [KPATCH CVE-2022-0185] vfs: kpatch fixes for CVE-2022-0185 Kernels: 4.18.0-348.el8 4.18.0-348.2.1.el8_5 4.18.0-348.7.1.el8_5 Changes since last build: arches: x86_64 ppc64le fs_context.o: changed function: legacy_parse_param --------------------------- Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/15 Approved-by: Artem Savkov (@artem.savkov) Kernels: 4.18.0-348.el8 4.18.0-348.2.1.el8_5 4.18.0-348.7.1.el8_5 Modifications: none commit 689263a917cde581464bdc69777dd0f3d9e808af Author: Frantisek Hrbata Date: Fri Jan 14 10:30:05 2022 +0100 vfs: Out-of-bounds write of heap buffer in fs_context.c Bugzilla: https://bugzilla.redhat.com/2040585 CVE: CVE-2022-0185 From Jamie Hill-Daniel The "PAGE_SIZE - 2 - size" calculation is is an unsigned type so a large value of "size" results in a high positive value. This results in heap overflow which can be exploited by a standard user for privilege escalation. Signed-off-by: Frantisek Hrbata Signed-off-by: Joe Lawrence --- fs/fs_context.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/fs_context.c b/fs/fs_context.c index b1eacb03b72f..c921102b2398 100644 --- a/fs/fs_context.c +++ b/fs/fs_context.c @@ -563,8 +563,10 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param) return invalf(fc, "VFS: Legacy: Parameter type for '%s' not supported", param->key); } - - if (len > PAGE_SIZE - 2 - size) + /* Subtracting 'size' from PAGE_SIZE can lead to integer underflow, + * so check bounds using addition instead. + */ + if (size + len + 2 > PAGE_SIZE) return invalf(fc, "VFS: Legacy: Cumulative options too large"); if (strchr(param->key, ',') || (param->type == fs_value_is_string && -- 2.26.3