Fix CVE-2011-3353
This commit is contained in:
Josh Boyer
parent
b45a41b9eb
commit
18a614272e
|
|
@ -0,0 +1,34 @@
|
|||
From 6a7fc984c7bd3c98839e28c47f4a9a27af024ca7 Mon Sep 17 00:00:00 2001
|
||||
From: Miklos Szeredi <mszeredi@suse.cz>
|
||||
Date: Wed, 24 Aug 2011 10:20:17 +0200
|
||||
Subject: [PATCH] fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
|
||||
|
||||
FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
|
||||
message processing could overrun and result in a "kernel BUG at
|
||||
fs/fuse/dev.c:629!"
|
||||
|
||||
Reported-by: Han-Wen Nienhuys <hanwenn@gmail.com>
|
||||
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
|
||||
CC: stable@kernel.org
|
||||
---
|
||||
fs/fuse/dev.c | 4 ++++
|
||||
1 files changed, 4 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
|
||||
index e5cdabf..517430a 100644
|
||||
--- a/fs/fuse/dev.c
|
||||
+++ b/fs/fuse/dev.c
|
||||
@@ -1208,6 +1208,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
|
||||
if (outarg.namelen > FUSE_NAME_MAX)
|
||||
goto err;
|
||||
|
||||
+ err = -EINVAL;
|
||||
+ if (size != sizeof(outarg) + outarg.namelen + 1)
|
||||
+ goto err;
|
||||
+
|
||||
name.name = buf;
|
||||
name.len = outarg.namelen;
|
||||
err = fuse_copy_one(cs, buf, outarg.namelen + 1);
|
||||
--
|
||||
1.7.6
|
||||
|
||||
11
kernel.spec
11
kernel.spec
|
|
@ -48,7 +48,7 @@ Summary: The Linux kernel
|
|||
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
|
||||
# scripts/rebase.sh should be made to do that for you, actually.
|
||||
#
|
||||
%global baserelease 97
|
||||
%global baserelease 98
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
|
@ -883,6 +883,9 @@ Patch14056: perf-Fix-software-event-overflow.patch
|
|||
Patch14057: crypto-Move-md5_transform-to-lib-md5.c.patch
|
||||
Patch14058: net-Compute-protocol-sequence-numbers-and-fragment-I.patch
|
||||
|
||||
# CVE-2011-3353
|
||||
Patch14059: fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
|
@ -1665,6 +1668,9 @@ ApplyPatch perf-Fix-software-event-overflow.patch
|
|||
ApplyPatch crypto-Move-md5_transform-to-lib-md5.c.patch
|
||||
ApplyPatch net-Compute-protocol-sequence-numbers-and-fragment-I.patch
|
||||
|
||||
# CVE-2011-3353
|
||||
ApplyPatch fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2251,6 +2257,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Tue Sep 20 2011 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2011-3353: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
|
||||
|
||||
* Fri Sep 16 2011 Josh Boyer <jwboyer@redhat.com> 2.6.35.14-97
|
||||
- CVE-2011-2918: perf: Fix software event overflow
|
||||
- CVE-2011-3188: net: improve sequence number generation
|
||||
|
|
|
|||
Loading…
Reference in New Issue