Post Syndicated from original https://lwn.net/Articles/863586/rss

Commit 8cae8cd89f05
went into the mainline kernel repository on July 19; it puts a limit
on the size of
buffers allocated in the seq_file mechanism and mentions “int
overflow pitfalls“. For more information, look to this
Qualys advisory describing the vulnerability:

We discovered a size_t-to-int conversion vulnerability in the Linux
kernel’s filesystem layer: by creating, mounting, and deleting a
deep directory structure whose total path length exceeds 1GB, an
unprivileged local attacker can write the 10-byte string
“//deleted” to an offset of exactly -2GB-10B below the beginning of
a vmalloc()ated kernel buffer.

It may not sound like much, but they claim to have written exploits for a
number of Ubuntu, Debian, and Fedora distributions. Updates from
distributors are already flowing, and this patch has been fast-tracked into
today’s stable kernel updates as well.