Re: Linux kernel: Heap buffer overflow in fs_context.c since version 5.1

[John Haxby <john.haxby () oracle com>]

> On 18 Jan 2022, at 18:21, Will <willsroot () protonmail com> wrote:
>
> There is a heap overflow bug in legacy_parse_param in which the length of data copied can be incremented beyond the 
> width of the 1-page slab allocated for it. We currently have created functional LPE exploits against Ubuntu 20.04 and 
> container escape exploits against Google's hardened COS. The bug was introduced in 5.1-rc1 
> (https://github.com/torvalds/linux/commit/3e1aeb00e6d132efc151dacc062b38269bc9eccc#diff-c4a9ea83de4a42a0d1bcbaf1f03ce35188f38da4987e0e7a52aae7f04de14a05)
>  and is present in all Linux releases since. As of January 18th, this patch 
> (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=722d94847de29310e8aa03fcbdb41fc92c521756)
>  fixes this issue.
>
> The bug is caused by an integer underflow present in fs/fs_context.c:legacy_parse_param, which results in 
> miscalculation of a valid max length. A bounds check is present at fs_context.c:551, returning an error if (len > 
> PAGE_SIZE - 2 - size); however, if the value of size is greater than or equal to 4095, the unsigned subtraction will 
> underflow to a massive value greater than len, so the check will not trigger. After this, the attacker may freely 
> write data out-of-bounds. Changing the check to size + len + 2 > PAGE_SIZE (which the patch did) would fix this.
>
> Exploitation relies on the CAP_SYS_ADMIN capability; however, the permission only needs to be granted in the current 
> namespace. An unprivileged user can use unshare(CLONE_NEWNS|CLONE_NEWUSER) to enter a namespace with the 
> CAP_SYS_ADMIN permission, and then proceed with exploitation to root the system.

This is CVE-2022-0185

jch

Attachment: signature.asc
Description: Message signed with OpenPGP