Verify that the total length of the iovec returned in FUSE_IOCTL_RETRY doesn't overflow iov_length(). Upstream commit: http://git.kernel.org/linus/7572777eef78ebdee1ecb7c258c0ef94d35bad16 Introduced in 59efec7b v2.6.29-rc1 long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg, unsigned int flags) { [...] /* did it ask for retry? */ if (outarg.flags & FUSE_IOCTL_RETRY) { [...] /* no retry if in restricted mode */ err = -EIO; if (!(flags & FUSE_IOCTL_UNRESTRICTED)) goto out; [...] in_iov = page_address(iov_page); out_iov = in_iov + in_iovs; So this affects unrestricted ioctl that is used by CUSE. Others use restricted ioctl. On Red Hat Enterprise Linux 6, /dev/cuse is root-owned by default. crw-rw----. 1 root root 10, 57 Jan 7 06:51 /dev/cuse
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not backport the upstream commit 59efec7b that introduced this issue. It did not affect the version of Linux kernel as shipped with Red hat Enterprise MRG as it did not provide support for Character device in Userspace (CUSE). A future kernel update in Red Hat Enterprise Linux 6 may address this flaw. Note that, by default, the "/dev/cuse" file in Red Hat Enterprise Linux 6 is only accessible by the root user.
Reproducer note: Very similar to CVE-2010-4160. Exploitation counts with overflowing total len needed to store all iovecs in memory and thus allocating small buffer. Later when iovecs are copied into memory potentialy big iov[]->iov_len is used as the size. Memory gets overwritten. fuse_do_ioctl() counts total len (which is potentialy overflowed) and passes this to fuse_ioctl_copy_user() which is doing the actual copying to memory. This function looks to be designed according to memcpy_fromiovec() and thus copies ~min(total_len, iov[]->iov_len). This bug is unexploitable.
Comment from Red Hat Engineer Zach Brown: The overflow case doesn't look dangerous to the kernel as the copy is limited by the length after the overflow. This fix restores the intention of returning an error instead of successfully copying less than the iovec represented. Reference: https://lkml.org/lkml/2012/7/24/386