Description
In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_cache_get() ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot reproducer reaches this through overlay-on-overlay readdir: getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged() Only compute PTR_ERR(cache) on the error path.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Linux / Linuxd25e4b739f8378419f990983f2542160e79738c5 – e7051909a01bfb883bfa78b27514854068ac4b85
- Linux / Linuxd25e4b739f8378419f990983f2542160e79738c5 – 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2
- Linux / Linux6.19 – 6.19
- Linux / Linux0 – 6.19
- Linux / Linux7.0.13 – 7.0.*
- Linux / Linux7.1 – *