<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Linux kernel: Heap buffer overflow in fs_context.c since version 5.1
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: John Haxby <john.haxby () oracle com>
Date: Tue, 18 Jan 2022 18:57:57 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 18 Jan 2022, at 18:21, Will <willsroot () protonmail com> wrote:
There is a heap overflow bug in legacy_parse_param in which the length of data copied can be incremented beyond the
width of the 1-page slab allocated for it. We currently have created functional LPE exploits against Ubuntu 20.04 and
container escape exploits against Google's hardened COS. The bug was introduced in 5.1-rc1
(https://github.com/torvalds/linux/commit/3e1aeb00e6d132efc151dacc062b38269bc9eccc#diff-c4a9ea83de4a42a0d1bcbaf1f03ce35188f38da4987e0e7a52aae7f04de14a05)
and is present in all Linux releases since. As of January 18th, this patch
(https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=722d94847de29310e8aa03fcbdb41fc92c521756)
fixes this issue.
The bug is caused by an integer underflow present in fs/fs_context.c:legacy_parse_param, which results in
miscalculation of a valid max length. A bounds check is present at fs_context.c:551, returning an error if (len >
PAGE_SIZE - 2 - size); however, if the value of size is greater than or equal to 4095, the unsigned subtraction will
underflow to a massive value greater than len, so the check will not trigger. After this, the attacker may freely
write data out-of-bounds. Changing the check to size + len + 2 > PAGE_SIZE (which the patch did) would fix this.
Exploitation relies on the CAP_SYS_ADMIN capability; however, the permission only needs to be granted in the current
namespace. An unprivileged user can use unshare(CLONE_NEWNS|CLONE_NEWUSER) to enter a namespace with the
CAP_SYS_ADMIN permission, and then proceed with exploitation to root the system.
This is CVE-2022-0185
jch
Attachment:
signature.asc
Description: Message signed with OpenPGP
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Linux kernel: Heap buffer overflow in fs_context.c since version 5.1 Will (Jan 18)
Re: Linux kernel: Heap buffer overflow in fs_context.c since version 5.1 John Haxby (Jan 18)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->