Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix OOB in nilfs_set_de_type
The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is defined as “S_IFMT » S_SHIFT”, but the nilfs_set_de_type() function, which uses this array, specifies the index to read from the array in the same way as “(mode & S_IFMT) » S_SHIFT”.
static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode *inode) { umode_t mode = inode->i_mode;
de->file_type = nilfs_type_by_mode[(mode & S_IFMT)»S_SHIFT]; // oob }
However, when the index is determined this way, an out-of-bounds (OOB) error occurs by referring to an index that is 1 larger than the array size when the condition “mode & S_IFMT == S_IFMT” is satisfied. Therefore, a patch to resize the nilfs_type_by_mode array should be applied to prevent OOB errors.
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 6 ELS , CloudLinux 7 ELS , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS
- Affected packages:
- kernel-uek @ 5.4.17 (+15 more)
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix OOB in nilfs_set_de_type
The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is defined as “S_IFMT » S_SHIFT”, but the nilfs_set_de_type() function, which uses this array, specifies the index to read from the array in the same way as “(mode & S_IFMT) » S_SHIFT”.
static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode *inode) { umode_t mode = inode->i_mode;
de->file_type = nilfs_type_by_mode[(mode & S_IFMT)»S_SHIFT]; // oob }
However, when the index is determined this way, an out-of-bounds (OOB) error occurs by referring to an index that is 1 larger than the array size when the condition “mode & S_IFMT == S_IFMT” is satisfied. Therefore, a patch to resize the nilfs_type_by_mode array should be applied to prevent OOB errors.