[pve-devel] [PATCH kernel] Fix CVE-2015-8785: fuse infinite loop

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Jan 25 08:38:47 CET 2016


---
 Note that our 2.6.32 kernel already includes this
 in rh-kernel-src/patch-042stab113

 ...ak-infinite-loop-in-fuse_fill_write_pages.patch | 61 ++++++++++++++++++++++
 Makefile                                           |  1 +
 2 files changed, 62 insertions(+)
 create mode 100644 CVE-2015-8785-fuse-break-infinite-loop-in-fuse_fill_write_pages.patch

diff --git a/CVE-2015-8785-fuse-break-infinite-loop-in-fuse_fill_write_pages.patch b/CVE-2015-8785-fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
new file mode 100644
index 0000000..f96b96f
--- /dev/null
+++ b/CVE-2015-8785-fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
@@ -0,0 +1,61 @@
+From 3ca8138f014a913f98e6ef40e939868e1e9ea876 Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <klamm at yandex-team.ru>
+Date: Mon, 12 Oct 2015 16:33:44 +0300
+Subject: [PATCH] fuse: break infinite loop in fuse_fill_write_pages()
+
+I got a report about unkillable task eating CPU. Further
+investigation shows, that the problem is in the fuse_fill_write_pages()
+function. If iov's first segment has zero length, we get an infinite
+loop, because we never reach iov_iter_advance() call.
+
+Fix this by calling iov_iter_advance() before repeating an attempt to
+copy data from userspace.
+
+A similar problem is described in 124d3b7041f ("fix writev regression:
+pan hanging unkillable and un-straceable"). If zero-length segmend
+is followed by segment with invalid address,
+iov_iter_fault_in_readable() checks only first segment (zero-length),
+iov_iter_copy_from_user_atomic() skips it, fails at second and
+returns zero -> goto again without skipping zero-length segment.
+
+Patch calls iov_iter_advance() before goto again: we'll skip zero-length
+segment at second iteraction and iov_iter_fault_in_readable() will detect
+invalid address.
+
+Special thanks to Konstantin Khlebnikov, who helped a lot with the commit
+description.
+
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Maxim Patlasov <mpatlasov at parallels.com>
+Cc: Konstantin Khlebnikov <khlebnikov at yandex-team.ru>
+Signed-off-by: Roman Gushchin <klamm at yandex-team.ru>
+Signed-off-by: Miklos Szeredi <miklos at szeredi.hu>
+Fixes: ea9b9907b82a ("fuse: implement perform_write")
+Cc: <stable at vger.kernel.org>
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index f523f2f..195476a 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1049,6 +1049,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
+ 		tmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes);
+ 		flush_dcache_page(page);
+ 
++		iov_iter_advance(ii, tmp);
+ 		if (!tmp) {
+ 			unlock_page(page);
+ 			page_cache_release(page);
+@@ -1061,7 +1062,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
+ 		req->page_descs[req->num_pages].length = tmp;
+ 		req->num_pages++;
+ 
+-		iov_iter_advance(ii, tmp);
+ 		count += tmp;
+ 		pos += tmp;
+ 		offset += tmp;
+-- 
+2.1.4
+
diff --git a/Makefile b/Makefile
index bd9e0ff..2866654 100644
--- a/Makefile
+++ b/Makefile
@@ -241,6 +241,7 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNELSRCTAR}
 	cd ${KERNEL_SRC}; patch -p1 <../kvm-x86-obey-KVM_X86_QUIRK_CD_NW_CLEARED-in-kvm_set_cr0.patch
 	cd ${KERNEL_SRC}; patch -p1 <../apparmor-socket-mediation.patch
 	cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch
+	cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-8785-fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
 	# backport iSCSI fix from 4.4rc5
 	cd ${KERNEL_SRC}; patch -p1 <../iSCSI-block-sd-Fix-device-imposed-transfer-length-limits.patch
 	# backport aacraid update from kernel 4.4rc5
-- 
2.1.4





More information about the pve-devel mailing list