Bug 667892 (CVE-2010-4650)

Summary: CVE-2010-4650 kernel: fuse: verify ioctl retries
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, davej, kernel-mgr, kmcmartin, lwang, pmatouse, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-25 09:55:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 667893, 667894    
Bug Blocks:    

Description Eugene Teo (Security Response) 2011-01-07 07:08:04 UTC
Verify that the total length of the iovec returned in FUSE_IOCTL_RETRY 
doesn't overflow iov_length().

Upstream commit:

Introduced in 59efec7b v2.6.29-rc1

long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg,
    unsigned int flags)
    /* did it ask for retry? */
    if (outarg.flags & FUSE_IOCTL_RETRY) {
    /* no retry if in restricted mode */
        err = -EIO;
        if (!(flags & FUSE_IOCTL_UNRESTRICTED))
            goto out;
        in_iov = page_address(iov_page);
        out_iov = in_iov + in_iovs;

So this affects unrestricted ioctl that is used by CUSE. Others use restricted ioctl.

On Red Hat Enterprise Linux 6, /dev/cuse is root-owned by default.
crw-rw----. 1 root root 10, 57 Jan  7 06:51 /dev/cuse

Comment 3 Eugene Teo (Security Response) 2011-01-11 09:22:50 UTC

This issue did not affect the versions of Linux kernel as shipped with Red
Hat Enterprise Linux 4 and 5 as they did not backport the upstream commit
59efec7b that introduced this issue. It did not affect the version of Linux
kernel as shipped with Red hat Enterprise MRG as it did not provide support
for Character device in Userspace (CUSE). A future kernel update in Red Hat
Enterprise Linux 6 may address this flaw. Note that, by default, the
"/dev/cuse" file in Red Hat Enterprise Linux 6 is only accessible by the
root user.

Comment 4 Petr Matousek 2011-02-01 23:02:34 UTC
Reproducer note:

Very similar to CVE-2010-4160. Exploitation counts with overflowing total len needed to store all iovecs in memory and thus allocating small buffer. Later when iovecs are copied into memory potentialy big iov[]->iov_len is used as the size. Memory gets overwritten.

fuse_do_ioctl() counts total len (which is potentialy overflowed) and passes this to fuse_ioctl_copy_user() which is doing the actual copying to memory. This function looks to be designed according to memcpy_fromiovec() and thus copies ~min(total_len, iov[]->iov_len).

This bug is unexploitable.

Comment 5 Petr Matousek 2012-07-25 09:55:05 UTC
Comment from Red Hat Engineer Zach Brown:

The overflow case doesn't look dangerous to the kernel as the copy is
limited by the length after the overflow.  This fix restores the
intention of returning an error instead of successfully copying less
than the iovec represented.