[linux] 01/01: fuse: break infinite loop in fuse_fill_write_pages()

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Jan 23 22:54:39 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 4ca8829fe9a13ce1503a8c035d9cbfe381a802e1
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Jan 23 22:48:19 2016 +0000

    fuse: break infinite loop in fuse_fill_write_pages()
    
    This doesn't have a CVE ID yet.
---
 debian/changelog                                   |  6 +++
 ...ak-infinite-loop-in-fuse_fill_write_pages.patch | 58 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 65 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 606d35d..a68a248 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.16.7-ckt20-1+deb8u4) UNRELEASED; urgency=medium
+
+  * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-XXXX)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sat, 23 Jan 2016 22:53:58 +0000
+
 linux (3.16.7-ckt20-1+deb8u3) jessie-security; urgency=high
 
   [ Ben Hutchings ]
diff --git a/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch b/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
new file mode 100644
index 0000000..ed61944
--- /dev/null
+++ b/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
@@ -0,0 +1,58 @@
+From: Roman Gushchin <klamm at yandex-team.ru>
+Date: Mon, 12 Oct 2015 16:33:44 +0300
+Subject: fuse: break infinite loop in fuse_fill_write_pages()
+Origin: https://git.kernel.org/linus/a5b234167a1ff46f311f5835828eec2f971b9bb4
+
+commit 3ca8138f014a913f98e6ef40e939868e1e9ea876 upstream.
+
+I got a report about unkillable task eating CPU. Further
+investigation shows, that the problem is in the fuse_fill_write_pages()
+function. If iov's first segment has zero length, we get an infinite
+loop, because we never reach iov_iter_advance() call.
+
+Fix this by calling iov_iter_advance() before repeating an attempt to
+copy data from userspace.
+
+A similar problem is described in 124d3b7041f ("fix writev regression:
+pan hanging unkillable and un-straceable"). If zero-length segmend
+is followed by segment with invalid address,
+iov_iter_fault_in_readable() checks only first segment (zero-length),
+iov_iter_copy_from_user_atomic() skips it, fails at second and
+returns zero -> goto again without skipping zero-length segment.
+
+Patch calls iov_iter_advance() before goto again: we'll skip zero-length
+segment at second iteraction and iov_iter_fault_in_readable() will detect
+invalid address.
+
+Special thanks to Konstantin Khlebnikov, who helped a lot with the commit
+description.
+
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Maxim Patlasov <mpatlasov at parallels.com>
+Cc: Konstantin Khlebnikov <khlebnikov at yandex-team.ru>
+Signed-off-by: Roman Gushchin <klamm at yandex-team.ru>
+Signed-off-by: Miklos Szeredi <miklos at szeredi.hu>
+Fixes: ea9b9907b82a ("fuse: implement perform_write")
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1088,6 +1088,7 @@ static ssize_t fuse_fill_write_pages(str
+ 		tmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes);
+ 		flush_dcache_page(page);
+ 
++		iov_iter_advance(ii, tmp);
+ 		if (!tmp) {
+ 			unlock_page(page);
+ 			page_cache_release(page);
+@@ -1100,7 +1101,6 @@ static ssize_t fuse_fill_write_pages(str
+ 		req->page_descs[req->num_pages].length = tmp;
+ 		req->num_pages++;
+ 
+-		iov_iter_advance(ii, tmp);
+ 		count += tmp;
+ 		pos += tmp;
+ 		offset += tmp;
diff --git a/debian/patches/series b/debian/patches/series
index a67d069..dbd99ec 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -676,3 +676,4 @@ bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
 bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
 debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch
 bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
+bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list