Skip to content

Commit

Permalink
UBUNTU: SAUCE: vfs: Out-of-bounds write of heap buffer in fs_context.c
Browse files Browse the repository at this point in the history 
The "PAGE_SIZE - 2 - size" calculation is is an unsigned type so
a large value of "size" results in a high positive value. This
results in heap overflow which can be exploited by a standard
user for privilege escalation.

Signed-off-by: Jamie Hill-Daniel <jamie@hill-daniel.co.uk>
Signed-off-by: William Liu <willsroot@protonmail.com>
CVE-2022-0185
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com>
Acked-by: Ben Romer <ben.romer@canonical.com>
  • Loading branch information
Jamie Hill-Daniel authored and Thadeu Lima de Souza Cascardo committed Jan 13, 2022
1 parent ec7a852 commit bcad6a0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion fs/fs_context.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -548,7 +548,7 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)
param->key);
}

if (len > PAGE_SIZE - 2 - size)
if (size + len + 2 > PAGE_SIZE)
return invalf(fc, "VFS: Legacy: Cumulative options too large");
if (strchr(param->key, ',') ||
(param->type == fs_value_is_string &&
Expand Down

0 comments on commit bcad6a0

Please sign in to comment.