In the Linux kernel, the following vulnerability has been resolved:
cifs: fix underflow in parse_server_interfaces()
In this loop, we step through the buffer and after each item we check
if the size_left is greater than the minimum size we need. However,
the problem is that “bytes_left” is type ssize_t while sizeof() is type
size_t. That means that because of type promotion, the comparison is
done as an unsigned and if we have negative bytes left the loop
continues instead of ending.
[
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "fe856be475f7",
"lessThan": "7190353835b4",
"versionType": "git"
},
{
"status": "affected",
"version": "fe856be475f7",
"lessThan": "f7ff1c89fb6e",
"versionType": "git"
},
{
"status": "affected",
"version": "fe856be475f7",
"lessThan": "df2af9fdbc4d",
"versionType": "git"
},
{
"status": "affected",
"version": "fe856be475f7",
"lessThan": "cffe487026be",
"versionType": "git"
}
],
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"defaultStatus": "unaffected"
},
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"status": "unaffected",
"version": "0",
"lessThan": "4.18",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.1.79",
"versionType": "custom",
"lessThanOrEqual": "6.1.*"
},
{
"status": "unaffected",
"version": "6.6.18",
"versionType": "custom",
"lessThanOrEqual": "6.6.*"
},
{
"status": "unaffected",
"version": "6.7.6",
"versionType": "custom",
"lessThanOrEqual": "6.7.*"
},
{
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
],
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"defaultStatus": "affected"
}
]