what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

fuseDisclose.txt

fuseDisclose.txt
Posted Jun 18, 2005
Authored by Sven Tantau | Site sven-tantau.de

A memory disclosure vulnerability exists in FUSE versions below 2.3.0.

tags | advisory
SHA-256 | 1617e02791e8e6f8f643c263484eb5e3ba6de5bf570af2a803a1c4ed05c3e96a

fuseDisclose.txt

Change Mirror Download

Advisory: FUSE: Filesystem in Userspace - Information Disclosure

Update: Correction of affected versions and os.

Product: FUSE: Filesystem in Userspace
Affected Version: 2.2, 2.2.1, 2.3-pre* and 2.3-rc1
Immune Version: < 2.2, 2.3.0
OS affected: Linux 2.4.*, 2.6.*
Security-Risk: high
Remote-Exploit: no
Date: 03.06.2005
Author: Sven Tantau - http://www.sven-tantau.de/
Vendor-URL: http://sourceforge.net/projects/fuse
Vendor-Status: informed, vendor released a fixed version
Advisory-URL:
http://www.sven-tantau.de/public_files/fuse/fuse_20050603.txt
Exploit-URL: http://www.sven-tantau.de/public_files/fuse/memfs.c


Product
=======

> From fuse/README

FUSE (Filesystem in Userspace) is a simple interface for userspace
programs to export a virtual filesystem to the linux kernel. FUSE
also aims to provide a secure method for non privileged users to
create and mount their own filesystem implementations.

You can download the source code releases from

http://sourceforge.net/projects/fuse


Details
=======

kernel/file.c:
static int fuse_readpage(struct file *file, struct page *page)
{
....

req->num_pages = 1;
req->pages[0] = page;
req->out.page_zeroing = 1;

....
}



kernel/dev.c:
static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes,
int zeroing)
{
unsigned i;
struct fuse_req *req = cs->req;
unsigned offset = req->page_offset;
unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset);

for (i = 0; i < req->num_pages && nbytes; i++) { // <--- nbytes
can be 0
struct page *page = req->pages[i];
int err = fuse_copy_page(cs, page, offset, count, zeroing);
if (err)
return err;

nbytes -= count;
count = min(nbytes, (unsigned) PAGE_SIZE);
offset = 0;
}
return 0;
}


static inline int fuse_copy_page(struct fuse_copy_state *cs, struct page
*page,
unsigned offset, unsigned count, int zeroing)
{
if (page && zeroing && count < PAGE_SIZE) {
void *mapaddr = kmap_atomic(page, KM_USER1);
memset(mapaddr, 0, PAGE_SIZE);
kunmap_atomic(mapaddr, KM_USER1);
}

....
}


Pages will not be zeroed if nbytes==0 which leads to
information disclosure of previous page content. As those can contain
sensitive data of other users (including root), risk is rated high.

A proof of concept file system is available at:
http://www.sven-tantau.de/public_files/fuse/memfs.c


Workaround
==========

rmmod fuse
Install the patch or update to fuse-2.3.0.


Patch
=====

Vendor (Miklos Szeredi) provided fix:

Index: linux/fs/fuse/dev.c
===================================================================
--- linux.orig/fs/fuse/dev.c 2005-06-01 12:22:08.000000000 +0200
+++ linux/fs/fuse/dev.c 2005-06-02 11:10:08.000000000 +0200
@@ -525,7 +525,7 @@ static int fuse_copy_pages(struct fuse_c
unsigned offset = req->page_offset;
unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset);

- for (i = 0; i < req->num_pages && nbytes; i++) {
+ for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) {
struct page *page = req->pages[i];
int err = fuse_copy_page(cs, page, offset, count, zeroing);
if (err)


History
=======

2005-06-01 issue found by Sven Tantau
2005-06-02 vendor contacted
2005-06-02 quick vendor reaction with confirmation, patch and public
disclosure
2005-06-06 release of this advisory + exploit
2005-06-06 Update of this advisory (affected versions mixup)





--
Sven Tantau
http://www.sven-tantau.de/ *** http://www.beastiebytes.de/
http://twe.sven-tantau.de/ *** http://www.bewiso.de/
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close