An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. Reference: https://github.com/karelzak/util-linux/issues/1395 Upstream patch: https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c
Created util-linux tracking bugs for this issue: Affects: fedora-all [bug 1987322]
Exploitability of this vuln is limited by the value of SEMMSL. For any reasonable value of this limit, the overflow is not possible.
There is no any exploitability at all, the tools do not have any extra permissions, the worst possible case is that it will call calloc() with bad values. This is pretty common in userspace and it does not affect anything. All this CVE is total non-sense and it seems that everyone can submit whatever to the CVE, a sad thing ...
In reply to comment #4: > There is no any exploitability at all, the tools do not have any extra > permissions, the worst possible case is that it will call calloc() with bad > values. This is pretty common in userspace and it does not affect anything. You are right that util-linux tools do not elevate privileges, but the risk here is that when invoked by a privileged user, the overflow can be triggered by behaviour of another user who has created the semaphores being examined. If the parameters influencing calloc() were entirely supplied by the user invoking the tool, there would be no CVE. But in this case they can come from a different privilege domain.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-37600