Linux kernel v5.1+ Heap buffer overflow in fs_context.c
Original Post:
We discussed this vulnerability during Episode 114 on 25 January 2022
Integer underflow in fs_context.c
’s legacy_parse_param()
function which was introduced in v5.1. When bounds checking the provided options length, they compare it with system page size - 2 - context data size
. The context data size can be controlled by the user, and can exceed system page size - 2
. If an attacker passes 4095
for example, the bounds check is rendered useless because it’ll allow SIZE_MAX
bytes to be passed. This gives you a size-controlled overflow in the kmalloc-4k cache.
It’s worth noting this vulnerability does require CAP_SYS_ADMIN
to exploit, however this capability check can be bypassed by using user namespaces if they’re enabled.