Bug 667892 (CVE-2010-4650) - CVE-2010-4650 kernel: fuse: verify ioctl retries
Summary: CVE-2010-4650 kernel: fuse: verify ioctl retries
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2010-4650
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 667893 667894
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-07 07:08 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 16:47 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-25 09:55:05 UTC
Embargoed:


Attachments (Terms of Use)

Description Eugene Teo (Security Response) 2011-01-07 07:08:04 UTC
Verify that the total length of the iovec returned in FUSE_IOCTL_RETRY 
doesn't overflow iov_length().

Upstream commit:
http://git.kernel.org/linus/7572777eef78ebdee1ecb7c258c0ef94d35bad16

Introduced in 59efec7b v2.6.29-rc1

long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg,
    unsigned int flags)
{
[...]
    /* did it ask for retry? */
    if (outarg.flags & FUSE_IOCTL_RETRY) {
[...]
    /* no retry if in restricted mode */
        err = -EIO;
        if (!(flags & FUSE_IOCTL_UNRESTRICTED))
            goto out;
[...]
        in_iov = page_address(iov_page);
        out_iov = in_iov + in_iovs;

So this affects unrestricted ioctl that is used by CUSE. Others use restricted ioctl.

On Red Hat Enterprise Linux 6, /dev/cuse is root-owned by default.
crw-rw----. 1 root root 10, 57 Jan  7 06:51 /dev/cuse

Comment 3 Eugene Teo (Security Response) 2011-01-11 09:22:50 UTC
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red
Hat Enterprise Linux 4 and 5 as they did not backport the upstream commit
59efec7b that introduced this issue. It did not affect the version of Linux
kernel as shipped with Red hat Enterprise MRG as it did not provide support
for Character device in Userspace (CUSE). A future kernel update in Red Hat
Enterprise Linux 6 may address this flaw. Note that, by default, the
"/dev/cuse" file in Red Hat Enterprise Linux 6 is only accessible by the
root user.

Comment 4 Petr Matousek 2011-02-01 23:02:34 UTC
Reproducer note:

Very similar to CVE-2010-4160. Exploitation counts with overflowing total len needed to store all iovecs in memory and thus allocating small buffer. Later when iovecs are copied into memory potentialy big iov[]->iov_len is used as the size. Memory gets overwritten.

fuse_do_ioctl() counts total len (which is potentialy overflowed) and passes this to fuse_ioctl_copy_user() which is doing the actual copying to memory. This function looks to be designed according to memcpy_fromiovec() and thus copies ~min(total_len, iov[]->iov_len).

This bug is unexploitable.

Comment 5 Petr Matousek 2012-07-25 09:55:05 UTC
Comment from Red Hat Engineer Zach Brown:

The overflow case doesn't look dangerous to the kernel as the copy is
limited by the length after the overflow.  This fix restores the
intention of returning an error instead of successfully copying less
than the iovec represented.

Reference:
https://lkml.org/lkml/2012/7/24/386


Note You need to log in before you can comment on or make changes to this bug.