[kernel/f14] Fix CVE-2011-3353
Josh Boyer
jwboyer at fedoraproject.org
Tue Sep 20 14:42:29 UTC 2011
commit 18a614272e6c25228d190912a6956c8d3f6792bf
Author: Josh Boyer <jwboyer at redhat.com>
Date: Tue Sep 20 09:57:03 2011 -0400
Fix CVE-2011-3353
...k-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch | 34 ++++++++++++++++++++
kernel.spec | 11 ++++++-
2 files changed, 44 insertions(+), 1 deletions(-)
---
diff --git a/fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch b/fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch
new file mode 100644
index 0000000..6db1aac
--- /dev/null
+++ b/fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch
@@ -0,0 +1,34 @@
+From 6a7fc984c7bd3c98839e28c47f4a9a27af024ca7 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi at suse.cz>
+Date: Wed, 24 Aug 2011 10:20:17 +0200
+Subject: [PATCH] fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
+
+FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
+message processing could overrun and result in a "kernel BUG at
+fs/fuse/dev.c:629!"
+
+Reported-by: Han-Wen Nienhuys <hanwenn at gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi at suse.cz>
+CC: stable at kernel.org
+---
+ fs/fuse/dev.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
+index e5cdabf..517430a 100644
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1208,6 +1208,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
+ if (outarg.namelen > FUSE_NAME_MAX)
+ goto err;
+
++ err = -EINVAL;
++ if (size != sizeof(outarg) + outarg.namelen + 1)
++ goto err;
++
+ name.name = buf;
+ name.len = outarg.namelen;
+ err = fuse_copy_one(cs, buf, outarg.namelen + 1);
+--
+1.7.6
+
diff --git a/kernel.spec b/kernel.spec
index dcd61bb..51ad361 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -48,7 +48,7 @@ Summary: The Linux kernel
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
# scripts/rebase.sh should be made to do that for you, actually.
#
-%global baserelease 97
+%global baserelease 98
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -883,6 +883,9 @@ Patch14056: perf-Fix-software-event-overflow.patch
Patch14057: crypto-Move-md5_transform-to-lib-md5.c.patch
Patch14058: net-Compute-protocol-sequence-numbers-and-fragment-I.patch
+# CVE-2011-3353
+Patch14059: fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1665,6 +1668,9 @@ ApplyPatch perf-Fix-software-event-overflow.patch
ApplyPatch crypto-Move-md5_transform-to-lib-md5.c.patch
ApplyPatch net-Compute-protocol-sequence-numbers-and-fragment-I.patch
+# CVE-2011-3353
+ApplyPatch fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2251,6 +2257,9 @@ fi
# and build.
%changelog
+* Tue Sep 20 2011 Josh Boyer <jwboyer at redhat.com>
+- CVE-2011-3353: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
+
* Fri Sep 16 2011 Josh Boyer <jwboyer at redhat.com> 2.6.35.14-97
- CVE-2011-2918: perf: Fix software event overflow
- CVE-2011-3188: net: improve sequence number generation
More information about the scm-commits
mailing list