oss-sec mailing list archives
Re: CVE request -- kernel: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
From: Josh Bressers <bressers () redhat com>
Date: Fri, 9 Sep 2011 14:01:50 -0400 (EDT)
Please use CVE-2011-3353 Thanks. -- JB ----- Original Message -----
FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). User able to mount FUSE filesystems can use this flaw to crash the system. References: http://permalink.gmane.org/gmane.linux.kernel.commits.head/313266 http://sourceforge.net/mailarchive/forum.php?thread_name=87liut4i7w.fsf%40tucsk.pomaz.szeredi.hu&forum_name=fuse-devel Upstream fix: c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE request -- kernel: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message Petr Matousek (Sep 08)
- Re: CVE request -- kernel: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message Josh Bressers (Sep 09)