Vigil@nce - Linux kernel: denial of service via FUSE_NOTIFY_INVAL_ENTRY
September 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker, who is allowed to mount a FUSE file system, can
use a malicious notification, in order to stop the system.
Severity: 1/4
Creation date: 08/09/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The FUSE (Filesystem in USErspace) feature can be used by an
application to generate a virtual file system.
Several events can be notified:
– FUSE_NOTIFY_INVAL_INODE : invalid inode
– FUSE_NOTIFY_INVAL_ENTRY : invalid entry
– etc.
The FUSE_NOTIFY_INVAL_ENTRY event calls the
fuse_notify_inval_entry() function of the fs/fuse/dev.c file.
However, this function does not correctly check the size of a
message, which is thus accepted, and which later generates a call
to the BUG() macro which stops the kernel.
A local attacker, who is allowed to mount a FUSE file system, can
therefore use a malicious notification, in order to stop the
system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-FUSE-NOTIFY-INVAL-ENTRY-10974