CVE-2022-49885

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()<br /> <br /> Change num_ghes from int to unsigned int, preventing an overflow<br /> and causing subsequent vmalloc() to fail.<br /> <br /> The overflow happens in ghes_estatus_pool_init() when calculating<br /> len during execution of the statement below as both multiplication<br /> operands here are signed int:<br /> <br /> len += (num_ghes * GHES_ESOURCE_PREALLOC_MAX_SIZE);<br /> <br /> The following call trace is observed because of this bug:<br /> <br /> [ 9.317108] swapper/0: vmalloc error: size 18446744071562596352, exceeds total pages, mode:0xcc0(GFP_KERNEL), nodemask=(null),cpuset=/,mems_allowed=0-1<br /> [ 9.317131] Call Trace:<br /> [ 9.317134] <br /> [ 9.317137] dump_stack_lvl+0x49/0x5f<br /> [ 9.317145] dump_stack+0x10/0x12<br /> [ 9.317146] warn_alloc.cold+0x7b/0xdf<br /> [ 9.317150] ? __device_attach+0x16a/0x1b0<br /> [ 9.317155] __vmalloc_node_range+0x702/0x740<br /> [ 9.317160] ? device_add+0x17f/0x920<br /> [ 9.317164] ? dev_set_name+0x53/0x70<br /> [ 9.317166] ? platform_device_add+0xf9/0x240<br /> [ 9.317168] __vmalloc_node+0x49/0x50<br /> [ 9.317170] ? ghes_estatus_pool_init+0x43/0xa0<br /> [ 9.317176] vmalloc+0x21/0x30<br /> [ 9.317177] ghes_estatus_pool_init+0x43/0xa0<br /> [ 9.317179] acpi_hest_init+0x129/0x19c<br /> [ 9.317185] acpi_init+0x434/0x4a4<br /> [ 9.317188] ? acpi_sleep_proc_init+0x2a/0x2a<br /> [ 9.317190] do_one_initcall+0x48/0x200<br /> [ 9.317195] kernel_init_freeable+0x221/0x284<br /> [ 9.317200] ? rest_init+0xe0/0xe0<br /> [ 9.317204] kernel_init+0x1a/0x130<br /> [ 9.317205] ret_from_fork+0x22/0x30<br /> [ 9.317208] <br /> <br /> [ rjw: Subject and changelog edits ]