An out-of-bounds write flaw was found in the seq_file in Filesystem layer, where a local attacker with a user privilege could gain access to out-of-bound memory leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations. The highest threat from this vulnerability is to data integrity, confidentiality and system availability. While creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. References: https://www.openwall.com/lists/oss-security/2021/07/20/1 https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt Fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b
*shrug* Just don't let the damn thing ask for vmalloc'ed buffer that large. IOW, add to seq_buf_alloc() if (unlikely(size > MAX_RW_COUNT)) return NULL; and be done with that.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1984019]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2021:2734 https://access.redhat.com/errata/RHSA-2021:2734
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2021:2733 https://access.redhat.com/errata/RHSA-2021:2733
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2021:2735 https://access.redhat.com/errata/RHSA-2021:2735
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2715 https://access.redhat.com/errata/RHSA-2021:2715
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2021:2732 https://access.redhat.com/errata/RHSA-2021:2732
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:2722 https://access.redhat.com/errata/RHSA-2021:2722
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2021:2730 https://access.redhat.com/errata/RHSA-2021:2730
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2719 https://access.redhat.com/errata/RHSA-2021:2719
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33909
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2718 https://access.redhat.com/errata/RHSA-2021:2718
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:2723 https://access.redhat.com/errata/RHSA-2021:2723
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2714 https://access.redhat.com/errata/RHSA-2021:2714
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2727 https://access.redhat.com/errata/RHSA-2021:2727
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Via RHSA-2021:2731 https://access.redhat.com/errata/RHSA-2021:2731
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2720 https://access.redhat.com/errata/RHSA-2021:2720
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2716 https://access.redhat.com/errata/RHSA-2021:2716
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:2729 https://access.redhat.com/errata/RHSA-2021:2729
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2725 https://access.redhat.com/errata/RHSA-2021:2725
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2726 https://access.redhat.com/errata/RHSA-2021:2726
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:2728 https://access.redhat.com/errata/RHSA-2021:2728
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2021:2737 https://access.redhat.com/errata/RHSA-2021:2737
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:2736 https://access.redhat.com/errata/RHSA-2021:2736
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2763 https://access.redhat.com/errata/RHSA-2021:2763