| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20110826220420.761134727@clark.kroah.org> Date: Fri, 26 Aug 2011 15:03:42 -0700 From: Greg KH <gregkh@...e.de> To: linux-kernel@...r.kernel.org, stable@...nel.org Cc: stable-review@...nel.org, torvalds@...ux-foundation.org, akpm@...ux-foundation.org, alan@...rguk.ukuu.org.uk, Miklos Szeredi <mszeredi@...e.cz> Subject: [19/20] fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message 2.6.33-longterm review patch. If anyone has any objections, please let us know. ------------------ From: Miklos Szeredi <mszeredi@...e.cz> commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae upstream. FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the message processing could overrun and result in a "kernel BUG at fs/fuse/dev.c:629!" Reported-by: Han-Wen Nienhuys <hanwenn@...il.com> Signed-off-by: Miklos Szeredi <mszeredi@...e.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de> --- fs/fuse/dev.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -899,6 +899,10 @@ static int fuse_notify_inval_entry(struc if (outarg.namelen > FUSE_NAME_MAX) goto err; + err = -EINVAL; + if (size != sizeof(outarg) + outarg.namelen + 1) + goto err; + name.name = buf; name.len = outarg.namelen; err = fuse_copy_one(cs, buf, outarg.namelen + 1); -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists