From bcad6a03f8fe9b9b4e10a1c0129fa009b430cb1b Mon Sep 17 00:00:00 2001
From: Jamie Hill-Daniel <jamie@hill-daniel.co.uk>
Date: Tue, 11 Jan 2022 16:46:31 -0300
Subject: [PATCH] UBUNTU: SAUCE: vfs: Out-of-bounds write of heap buffer in
 fs_context.c

The "PAGE_SIZE - 2 - size" calculation is is an unsigned type so
a large value of "size" results in a high positive value. This
results in heap overflow which can be exploited by a standard
user for privilege escalation.

Signed-off-by: Jamie Hill-Daniel <jamie@hill-daniel.co.uk>
Signed-off-by: William Liu <willsroot@protonmail.com>
CVE-2022-0185
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com>
Acked-by: Ben Romer <ben.romer@canonical.com>
---
 fs/fs_context.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fs_context.c b/fs/fs_context.c
index de1985eae535f..a195e516f5bd2 100644
--- a/fs/fs_context.c
+++ b/fs/fs_context.c
@@ -548,7 +548,7 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)
 			      param->key);
 	}
 
-	if (len > PAGE_SIZE - 2 - size)
+	if (size + len + 2 > PAGE_SIZE)
 		return invalf(fc, "VFS: Legacy: Cumulative options too large");
 	if (strchr(param->key, ',') ||
 	    (param->type == fs_value_is_string &&