Bug 667892 (CVE-2010-4650)
Summary: | CVE-2010-4650 kernel: fuse: verify ioctl retries | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | arozansk, davej, kernel-mgr, kmcmartin, lwang, pmatouse, tcallawa |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-07-25 09:55:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 667893, 667894 | ||
Bug Blocks: |
Description
Eugene Teo (Security Response)
2011-01-07 07:08:04 UTC
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not backport the upstream commit 59efec7b that introduced this issue. It did not affect the version of Linux kernel as shipped with Red hat Enterprise MRG as it did not provide support for Character device in Userspace (CUSE). A future kernel update in Red Hat Enterprise Linux 6 may address this flaw. Note that, by default, the "/dev/cuse" file in Red Hat Enterprise Linux 6 is only accessible by the root user. Reproducer note: Very similar to CVE-2010-4160. Exploitation counts with overflowing total len needed to store all iovecs in memory and thus allocating small buffer. Later when iovecs are copied into memory potentialy big iov[]->iov_len is used as the size. Memory gets overwritten. fuse_do_ioctl() counts total len (which is potentialy overflowed) and passes this to fuse_ioctl_copy_user() which is doing the actual copying to memory. This function looks to be designed according to memcpy_fromiovec() and thus copies ~min(total_len, iov[]->iov_len). This bug is unexploitable. Comment from Red Hat Engineer Zach Brown: The overflow case doesn't look dangerous to the kernel as the copy is limited by the length after the overflow. This fix restores the intention of returning an error instead of successfully copying less than the iovec represented. Reference: https://lkml.org/lkml/2012/7/24/386 |