Bug 2295920 - kernel: bcache: fix variable length array abuse in btree_iter
Summary: kernel: bcache: fix variable length array abuse in btree_iter
Keywords:
Status: CLOSED DUPLICATE of bug 2296054
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-05 09:22 UTC by OSIDB Bzimport
Modified: 2024-07-12 13:02 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-07-05 21:10:07 UTC
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-07-05 09:22:42 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bcache: fix variable length array abuse in btree_iter

btree_iter is used in two ways: either allocated on the stack with a
fixed size MAX_BSETS, or from a mempool with a dynamic size based on the
specific cache set. Previously, the struct had a fixed-length array of
size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized
iterators, which causes UBSAN to complain.

This patch uses the same approach as in bcachefs's sort_iter and splits
the iterator into a btree_iter with a flexible array member and a
btree_iter_stack which embeds a btree_iter as well as a fixed-length
data array.
Comment 1 Mauro Matteo Cascella 2024-07-05 21:10:07 UTC 

*** This bug has been marked as a duplicate of bug 2296054 ***
Note You need to log in before you can comment on or make changes to this bug.