[linux] 01/01: fuse: break infinite loop in fuse_fill_write_pages()

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Jan 23 22:52:41 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit cff386374c1c3f7854269cff73e2390aad37cba8
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Jan 23 22:48:19 2016 +0000

    fuse: break infinite loop in fuse_fill_write_pages()
    
    This doesn't have a CVE ID yet.
---
 debian/changelog                                   |  1 +
 ...ak-infinite-loop-in-fuse_fill_write_pages.patch | 58 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 60 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index bb6a9bb..dbfbeec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ linux (3.2.73-2+deb7u3) UNRELEASED; urgency=medium
   * sctp: Prevent soft lockup when sctp_accept() is called during a timeout event
     (CVE-2015-8767)
   * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723)
+  * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-XXXX)
 
   [ Salvatore Bonaccorso ]
   * unix: properly account for FDs passed over unix sockets (CVE-2013-4312)
diff --git a/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch b/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
new file mode 100644
index 0000000..80b88d5
--- /dev/null
+++ b/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
@@ -0,0 +1,58 @@
+From: Roman Gushchin <klamm at yandex-team.ru>
+Date: Mon, 12 Oct 2015 16:33:44 +0300
+Subject: fuse: break infinite loop in fuse_fill_write_pages()
+Origin: https://git.kernel.org/linus/3ca8138f014a913f98e6ef40e939868e1e9ea876
+
+I got a report about unkillable task eating CPU. Further
+investigation shows, that the problem is in the fuse_fill_write_pages()
+function. If iov's first segment has zero length, we get an infinite
+loop, because we never reach iov_iter_advance() call.
+
+Fix this by calling iov_iter_advance() before repeating an attempt to
+copy data from userspace.
+
+A similar problem is described in 124d3b7041f ("fix writev regression:
+pan hanging unkillable and un-straceable"). If zero-length segmend
+is followed by segment with invalid address,
+iov_iter_fault_in_readable() checks only first segment (zero-length),
+iov_iter_copy_from_user_atomic() skips it, fails at second and
+returns zero -> goto again without skipping zero-length segment.
+
+Patch calls iov_iter_advance() before goto again: we'll skip zero-length
+segment at second iteraction and iov_iter_fault_in_readable() will detect
+invalid address.
+
+Special thanks to Konstantin Khlebnikov, who helped a lot with the commit
+description.
+
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Maxim Patlasov <mpatlasov at parallels.com>
+Cc: Konstantin Khlebnikov <khlebnikov at yandex-team.ru>
+Signed-off-by: Roman Gushchin <klamm at yandex-team.ru>
+Signed-off-by: Miklos Szeredi <miklos at szeredi.hu>
+Fixes: ea9b9907b82a ("fuse: implement perform_write")
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 510d4aa..f507e6220 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -850,6 +850,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
+ 
+ 		mark_page_accessed(page);
+ 
++		iov_iter_advance(ii, tmp);
+ 		if (!tmp) {
+ 			unlock_page(page);
+ 			page_cache_release(page);
+@@ -861,7 +862,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
+ 		req->pages[req->num_pages] = page;
+ 		req->num_pages++;
+ 
+-		iov_iter_advance(ii, tmp);
+ 		count += tmp;
+ 		pos += tmp;
+ 		offset += tmp;
diff --git a/debian/patches/series b/debian/patches/series
index 9a176c7..bdbdab5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1195,3 +1195,4 @@ bugfix/all/sctp-prevent-soft-lockup-when-sctp_accept-is-called-.patch
 bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
 bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
 debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch
+bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list