UBUNTU: SAUCE: vfs: Out-of-bounds write of heap buffer in fs_context.c
The "PAGE_SIZE - 2 - size" calculation is is an unsigned type so
a large value of "size" results in a high positive value. This
results in heap overflow which can be exploited by a standard
user for privilege escalation.
Signed-off-by: Jamie Hill-Daniel <email address hidden>
Signed-off-by: William Liu <email address hidden>
CVE-2022-0185
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Andy Whitcroft <email address hidden>
Acked-by: Ben Romer <email address hidden>
bpf_ringbuf_reserve is currently the only helper that returns a
PTR_TO_ALLOC_MEM, and bpf_ringbuf_submit and bpf_ringbuf_discard expect
only such pointers.
If some arithmetic is done on those pointers, those functions may corrupt
arbritary memory.
Prevent such argument types from having an offset other than 0.
Also, other valid PTR_TO_MEM should not be accepted as parameters to
bpf_ringbuf_submit and bpf_ringbuf_discard. A different type mechanism
should be used instead, in order to guarantee that only values returned by
bpf_ringbuf_reserve can be used.
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Kamal Mostafa <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>