A heap overflow bug was recently discovered in the Linux kernel. The patch is available now in most major Linux distributions. //

In this one, there's a heap overflow bug in the legacy_parse_param in the Linux kernel's fs/fs_context.c program. This parameter is used in Linux filesystems during superblock creation for mount and superblock reconfiguration for a remount. The superblock records all of a filesystem's characteristics such as file size, block size, empty and filled storage blocks. So, yeah, it's important.

The legacy_parse_param() "PAGE_SIZE - 2 - size" calculation was mistakenly made an unsigned type. This means a large value of "size" results in a high positive value instead of a negative value as expected. Whoops.

A local attacker can use it to escalate their user privileges or crash the system. This can be done with a specially crafted program that triggers this integer overflow. That done, it's trivial to execute arbitrary code and give the attacker root privileges.

To exploit it requires the CAP_SYS_ADMIN privilege to be enabled. If that's the case, an unprivileged local user can open a filesystem that does not support the File System Context application programming interface (API). In this situation, it drops back to legacy handling, and from there, the flaw can escalate an attacker's system privileges.