Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20160124180313.5D41C6C04A5@smtpvmsrv1.mitre.org>
Date: Sun, 24 Jan 2016 13:03:13 -0500 (EST)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux: fuse: possible denial of service in fuse_fill_write_pages()

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://bugzilla.redhat.com/show_bug.cgi?id=1290642
> https://git.kernel.org/linus/3ca8138f014a913f98e6ef40e939868e1e9ea876

> I got a report about unkillable task eating CPU. Further investigation
> shows, that the problem is in the fuse_fill_write_pages() function. If
> iov's first segment has zero length, we get an infinite loop, because
> we never reach iov_iter_advance() call.

Use CVE-2015-8785.


> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=124d3b7041f9a0ca7c43a6293e1cae4576c32fd5

> Frederik Himpe reported an unkillable and un-straceable pan process.

> Zero length iovecs can go into an infinite loop in writev, because the
> iovec iterator does not always advance over them.

> The sequence required to trigger this is not trivial. I think it
> requires that a zero-length iovec be followed by a non-zero-length
> iovec which causes a pagefault in the atomic usercopy. This causes the
> writev code to drop back into single-segment copy mode, which then
> tries to copy the 0 bytes of the zero-length iovec; a zero length copy
> looks like a failure though, so it loops.

Use CVE-2008-7316.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWpQ7BAAoJEL54rhJi8gl5Am8QAIDWhohuCTV/LLATmZ2l79qT
6nH6UaXEQDTBLo3zaroI37UuALPBO3jj6gs+QrvAgs/p6lIVmYVZXbW+s23JXcly
UaF82HMfSa7G4TpErnY140XiyuY9litUunfxtJ1GBaB+NYDyPKOUI2O/LAfbnS7J
KvkB+9fzPNb6sgmHCNVtLQB8FI/zWscDL+YUAJtRlFzaj6m4Zmld+DfgNKEVj5v5
BYx2arc67iCKDeravJ+FTBJ7q332z/zgDjYOYSsHRlsBtkcZjkOXQaFDxEXOMXUK
VWjA3HG4UIryj5lt0WCJvrxEVQGUKxuKqoznYb9n2yUeIX/tpqbARkHxAkcaoZch
N9qSZS7aoSqb0Zpg2kJPzrpM7lFsyZUARYoX4JzeNC/luFxfcyyD4Rsq6ZvtS4gN
626g1nWB8te7xtUAWL8EEvAyLi8M5Xy9yNBQ/TJvi4AYUgMMJcRTzQNwEstwwIiv
k0jo9ExujeusDwJ0OTww7jtqfHLeyY+WqwWK11Lfs7A1a03qMgmcYTQoZ/PFyklX
SKygUyCIh8ampY97myeL6pa7Vk4gBnlcntr7hmCBKVPGY7uJbKC/21pgkuwoMAs9
0E5vO/87fYlrWv1NYoGomk/fYWKFBgtmDLDP/9Cr0wqkxL/zYTurKiCTxo/MFJUw
maIt64IN9PU7Nt9URjLb
=2eQ6
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.