Ack: [maverick, maverick/ti-omap4, natty, natty/ti-omap4 CVE 1/1] fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
Seth Forshee
seth.forshee at canonical.com
Tue Jan 3 14:33:39 UTC 2012
On Tue, Jan 03, 2012 at 01:14:39PM +0000, Andy Whitcroft wrote:
> From: Miklos Szeredi <mszeredi at suse.cz>
>
> FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
> message processing could overrun and result in a "kernel BUG at
> fs/fuse/dev.c:629!"
>
> Reported-by: Han-Wen Nienhuys <hanwenn at gmail.com>
> Signed-off-by: Miklos Szeredi <mszeredi at suse.cz>
> CC: stable at kernel.org
>
> (cherry picked from commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae)
> CVE-2011-3353
> BugLink: http://bugs.launchpad.net/bugs/905058
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
Acked-by: Seth Forshee <seth.forshee at canonical.com>
> ---
> fs/fuse/dev.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
> index e5cdabf..517430a 100644
> --- a/fs/fuse/dev.c
> +++ b/fs/fuse/dev.c
> @@ -1208,6 +1208,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
> if (outarg.namelen > FUSE_NAME_MAX)
> goto err;
>
> + err = -EINVAL;
> + if (size != sizeof(outarg) + outarg.namelen + 1)
> + goto err;
> +
> name.name = buf;
> name.len = outarg.namelen;
> err = fuse_copy_one(cs, buf, outarg.namelen + 1);
> --
> 1.7.5.4
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list