oss-sec mailing list archives
Re: CVE Request: Linux: fuse: possible denial of service in fuse_fill_write_pages()
From: cve-assign () mitre org
Date: Sun, 24 Jan 2016 13:03:13 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://bugzilla.redhat.com/show_bug.cgi?id=1290642 https://git.kernel.org/linus/3ca8138f014a913f98e6ef40e939868e1e9ea876
I got a report about unkillable task eating CPU. Further investigation shows, that the problem is in the fuse_fill_write_pages() function. If iov's first segment has zero length, we get an infinite loop, because we never reach iov_iter_advance() call.
Use CVE-2015-8785.
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=124d3b7041f9a0ca7c43a6293e1cae4576c32fd5
Frederik Himpe reported an unkillable and un-straceable pan process.
Zero length iovecs can go into an infinite loop in writev, because the iovec iterator does not always advance over them.
The sequence required to trigger this is not trivial. I think it requires that a zero-length iovec be followed by a non-zero-length iovec which causes a pagefault in the atomic usercopy. This causes the writev code to drop back into single-segment copy mode, which then tries to copy the 0 bytes of the zero-length iovec; a zero length copy looks like a failure though, so it loops.
Use CVE-2008-7316. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWpQ7BAAoJEL54rhJi8gl5Am8QAIDWhohuCTV/LLATmZ2l79qT 6nH6UaXEQDTBLo3zaroI37UuALPBO3jj6gs+QrvAgs/p6lIVmYVZXbW+s23JXcly UaF82HMfSa7G4TpErnY140XiyuY9litUunfxtJ1GBaB+NYDyPKOUI2O/LAfbnS7J KvkB+9fzPNb6sgmHCNVtLQB8FI/zWscDL+YUAJtRlFzaj6m4Zmld+DfgNKEVj5v5 BYx2arc67iCKDeravJ+FTBJ7q332z/zgDjYOYSsHRlsBtkcZjkOXQaFDxEXOMXUK VWjA3HG4UIryj5lt0WCJvrxEVQGUKxuKqoznYb9n2yUeIX/tpqbARkHxAkcaoZch N9qSZS7aoSqb0Zpg2kJPzrpM7lFsyZUARYoX4JzeNC/luFxfcyyD4Rsq6ZvtS4gN 626g1nWB8te7xtUAWL8EEvAyLi8M5Xy9yNBQ/TJvi4AYUgMMJcRTzQNwEstwwIiv k0jo9ExujeusDwJ0OTww7jtqfHLeyY+WqwWK11Lfs7A1a03qMgmcYTQoZ/PFyklX SKygUyCIh8ampY97myeL6pa7Vk4gBnlcntr7hmCBKVPGY7uJbKC/21pgkuwoMAs9 0E5vO/87fYlrWv1NYoGomk/fYWKFBgtmDLDP/9Cr0wqkxL/zYTurKiCTxo/MFJUw maIt64IN9PU7Nt9URjLb =2eQ6 -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Linux: fuse: possible denial of service in fuse_fill_write_pages() Salvatore Bonaccorso (Jan 23)
- Re: CVE Request: Linux: fuse: possible denial of service in fuse_fill_write_pages() cve-assign (Jan 24)