FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). User able to mount FUSE filesystems can use this flaw to crash the system. References: http://permalink.gmane.org/gmane.linux.kernel.commits.head/313266 http://sourceforge.net/mailarchive/forum.php?thread_name=87liut4i7w.fsf%40tucsk.pomaz.szeredi.hu&forum_name=fuse-devel Upstream fix: https://github.com/torvalds/linux/commit/c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 as they did not provide support for FUSE. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 as they did not backport the upstream commit 3b463ae0c6264f that introduced this issue. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1465.html and https://rhn.redhat.com/errata/RHSA-2012-0010.html.
This was assigned the name CVE-2011-3353.
Created kernel tracking bugs for this issue Affects: fedora-all [bug 748690]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1465 https://rhn.redhat.com/errata/RHSA-2011-1465.html
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:0010 https://rhn.redhat.com/errata/RHSA-2012-0010.html