UBUNTU: SAUCE: vfs: Out-of-bounds write of heap buffer in fs_context.c

clubby789 · Thadeu Lima de Souza Cascardo · commit 1a451917bd0b · 2022-01-12T11:51:53.000-03:00
The "PAGE_SIZE - 2 - size" calculation is is an unsigned type so
a large value of "size" results in a high positive value. This
results in heap overflow which can be exploited by a standard
user for privilege escalation.

Signed-off-by: Jamie Hill-Daniel &lt;jamie@hill-daniel.co.uk&gt;
Signed-off-by: William Liu &lt;willsroot@protonmail.com&gt;
CVE-2022-0185
Signed-off-by: Thadeu Lima de Souza Cascardo &lt;cascardo@canonical.com&gt;
Acked-by: Andy Whitcroft &lt;andy.whitcroft@canonical.com&gt;
Acked-by: Ben Romer &lt;ben.romer@canonical.com&gt;
diff --git a/fs/fs_context.c b/fs/fs_context.c
@@ -585,7 +585,7 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)
 			      param->key);
 	}
 
-	if (len > PAGE_SIZE - 2 - size)
+	if (size + len + 2 > PAGE_SIZE)
 		return invalf(fc, "VFS: Legacy: Cumulative options too large");
 	if (strchr(param->key, ',') ||
 	    (param->type == fs_value_is_string &&

Original file line number	Diff line number	Diff line change
`@@ -585,7 +585,7 @@ static int legacy_parse_param(struct fs_context fc, struct fs_parameter param)`
`585`	`585`	`param->key);`
`586`	`586`	`}`
`587`	`587`
`588`		`- if (len > PAGE_SIZE - 2 - size)`
	`588`	`+ if (size + len + 2 > PAGE_SIZE)`
`589`	`589`	`return invalf(fc, "VFS: Legacy: Cumulative options too large");`
`590`	`590`	`if (strchr(param->key, ',') \|\|`
`591`	`591`	`(param->type == fs_value_is_string &&`