Patchwork [maverick,maverick/ti-omap4,natty,natty/ti-omap4,CVE,1/1] fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message

login
register
mail settings
Submitter Andy Whitcroft
Date Jan. 3, 2012, 1:14 p.m.
Message ID <1325596479-16407-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/133999/
State New
Headers show

Comments

Andy Whitcroft - Jan. 3, 2012, 1:14 p.m.
From: Miklos Szeredi <mszeredi@suse.cz>

FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
message processing could overrun and result in a "kernel BUG at
fs/fuse/dev.c:629!"

Reported-by: Han-Wen Nienhuys <hanwenn@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
CC: stable@kernel.org

(cherry picked from commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae)
CVE-2011-3353
BugLink: http://bugs.launchpad.net/bugs/905058
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/fuse/dev.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)
Herton Ronaldo Krzesinski - Jan. 3, 2012, 2:07 p.m.
On Tue, Jan 03, 2012 at 01:14:39PM +0000, Andy Whitcroft wrote:
> From: Miklos Szeredi <mszeredi@suse.cz>
> 
> FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
> message processing could overrun and result in a "kernel BUG at
> fs/fuse/dev.c:629!"
> 
> Reported-by: Han-Wen Nienhuys <hanwenn@gmail.com>
> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
> CC: stable@kernel.org
> 
> (cherry picked from commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae)
> CVE-2011-3353
> BugLink: http://bugs.launchpad.net/bugs/905058
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  fs/fuse/dev.c |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
> index e5cdabf..517430a 100644
> --- a/fs/fuse/dev.c
> +++ b/fs/fuse/dev.c
> @@ -1208,6 +1208,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
>  	if (outarg.namelen > FUSE_NAME_MAX)
>  		goto err;
>  
> +	err = -EINVAL;
> +	if (size != sizeof(outarg) + outarg.namelen + 1)
> +		goto err;
> +
>  	name.name = buf;
>  	name.len = outarg.namelen;
>  	err = fuse_copy_one(cs, buf, outarg.namelen + 1);
> -- 
> 1.7.5.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
Seth Forshee - Jan. 3, 2012, 2:33 p.m.
On Tue, Jan 03, 2012 at 01:14:39PM +0000, Andy Whitcroft wrote:
> From: Miklos Szeredi <mszeredi@suse.cz>
> 
> FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
> message processing could overrun and result in a "kernel BUG at
> fs/fuse/dev.c:629!"
> 
> Reported-by: Han-Wen Nienhuys <hanwenn@gmail.com>
> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
> CC: stable@kernel.org
> 
> (cherry picked from commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae)
> CVE-2011-3353
> BugLink: http://bugs.launchpad.net/bugs/905058
> Signed-off-by: Andy Whitcroft <apw@canonical.com>

Acked-by: Seth Forshee <seth.forshee@canonical.com>

> ---
>  fs/fuse/dev.c |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
> index e5cdabf..517430a 100644
> --- a/fs/fuse/dev.c
> +++ b/fs/fuse/dev.c
> @@ -1208,6 +1208,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
>  	if (outarg.namelen > FUSE_NAME_MAX)
>  		goto err;
>  
> +	err = -EINVAL;
> +	if (size != sizeof(outarg) + outarg.namelen + 1)
> +		goto err;
> +
>  	name.name = buf;
>  	name.len = outarg.namelen;
>  	err = fuse_copy_one(cs, buf, outarg.namelen + 1);
> -- 
> 1.7.5.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Patch

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index e5cdabf..517430a 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1208,6 +1208,10 @@  static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
 	if (outarg.namelen > FUSE_NAME_MAX)
 		goto err;
 
+	err = -EINVAL;
+	if (size != sizeof(outarg) + outarg.namelen + 1)
+		goto err;
+
 	name.name = buf;
 	name.len = outarg.namelen;
 	err = fuse_copy_one(cs, buf, outarg.namelen + 1);