vfs: fs_context: fix up param length parsing in legacy_parse_param commit 722d94847de29310e8aa03fcbdb41fc92c521756 upstream. The "PAGE_SIZE - 2 - size" calculation in legacy_parse_param() is an unsigned type so a large value of "size" results in a high positive value instead of a negative value as expected. Fix this by getting rid of the subtraction. Signed-off-by: Jamie Hill-Daniel <jamie@hill-daniel.co.uk> Signed-off-by: William Liu <willsroot@protonmail.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Tested-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b1b5c3c38c5a3d3e542b3b978862c2f7886906e4) Signed-off-by: Robert Kolchmeyer <rkolchmeyer@google.com> BUG=b/213421437 TEST=presubmit RELEASE_NOTE=Fixed a privilege escalation vulnerability in fs_context in the Linux kernel. This resolves CVE-2022-0185. cos-patch: security-high Change-Id: I0f9f2ea425b4dd6e4111d885a3b92ca452fca2c1 Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/27940 Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com> Reviewed-by: Roy Yang <royyang@google.com> Reviewed-by: Oleksandr Tymoshenko <ovt@google.com> Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com> Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
1 file changed
