Description
In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE. As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page. Reject dirents that cannot fit in a single page before copying them into the readdir cache.
Product status
69e34551152a286f827d54dcb5700da6aeaac1fb (git) before d23ad78bfd205eac26766e38ba7d79f279131098
69e34551152a286f827d54dcb5700da6aeaac1fb (git) before 45c05af36311624c1148123caeb011312495d86b
69e34551152a286f827d54dcb5700da6aeaac1fb (git) before 7de93abfaae1b2dc94da8a07a36421bd073f1d8f
69e34551152a286f827d54dcb5700da6aeaac1fb (git) before 474ce83c96a55f2eeb14dee2be375eeadfdacdf5
69e34551152a286f827d54dcb5700da6aeaac1fb (git) before 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed
4.20
Any version before 4.20
6.6.136 (semver)
6.12.84 (semver)
6.18.25 (semver)
7.0.2 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/d23ad78bfd205eac26766e38ba7d79f279131098
git.kernel.org/...c/45c05af36311624c1148123caeb011312495d86b
git.kernel.org/...c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f
git.kernel.org/...c/474ce83c96a55f2eeb14dee2be375eeadfdacdf5
git.kernel.org/...c/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed