Commit 7f430879 authored Mar 21, 2022 by Jamie Hill-Daniel Committed by Zheng Zengkai Mar 21, 2022

vfs: fs_context: fix up param length parsing in legacy_parse_param

mainline inclusion
from mainline-v5.17-rc1
commit 722d9484
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4YD3S


CVE: CVE-2022-0185

--------------------------------

The "PAGE_SIZE - 2 - size" calculation in legacy_parse_param() is an
unsigned type so a large value of "size" results in a high positive
value instead of a negative value as expected.  Fix this by getting rid
of the subtraction.

Signed-off-by: Jamie Hill-Daniel <jamie@hill-daniel.co.uk>
Signed-off-by: William Liu <willsroot@protonmail.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Tested-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent cbe05603

fs/fs_context.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -548,7 +548,7 @@ static int legacy_parse_param(struct fs_context fc, struct fs_parameter param)
		param->key);
		}

		if (len > PAGE_SIZE - 2 - size)
		if (size + len + 2 > PAGE_SIZE)
		return invalf(fc, "VFS: Legacy: Cumulative options too large");
		if (strchr(param->key, ',') \|\|
		(param->type == fs_value_is_string &&