From 4ba5d31cc6191d81ee222a3e678674737ba98946 Mon Sep 17 00:00:00 2001 From: Pavel Reichl Date: Tue, 18 Jun 2024 00:18:28 +0200 Subject: [PATCH] libfuse: null-terminate buffer in fuse_req_getgroups() Resolves: RHEL-27867 Signed-off-by: Pavel Reichl --- fuse3.spec | 7 +++- ...rminate-buffer-in-fuse_req_getgroups.patch | 35 +++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 master-libfuse-null-terminate-buffer-in-fuse_req_getgroups.patch diff --git a/fuse3.spec b/fuse3.spec index f62b317..3240e80 100644 --- a/fuse3.spec +++ b/fuse3.spec @@ -1,6 +1,6 @@ Name: fuse3 Version: 3.10.2 -Release: 8%{?dist} +Release: 9%{?dist} Summary: File System in Userspace (FUSE) v3 utilities License: GPL+ URL: http://fuse.sf.net @@ -15,6 +15,7 @@ Patch5: rhel-only-bz2188182-libfuse-add-feature-flag-for-expire-only.patch Patch6: fuse-3.16.1-Make-expire-only-function-fail-if-no-kernel-support-.patch Patch7: fuse-3.17.0-Pass-FUSE_PARALLEL_DIROPS-to-kernel-861.patch Patch8: fuse-3.17.0-Don-t-set-FUSE_CAP_PARALLEL_DIROPS-by-default.patch +Patch9: master-libfuse-null-terminate-buffer-in-fuse_req_getgroups.patch BuildRequires: which %if ! 0%{?el6} @@ -85,6 +86,7 @@ Common files for FUSE v2 and FUSE v3. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build export LC_ALL=en_US.UTF-8 @@ -174,6 +176,9 @@ rm -f %{buildroot}/usr/lib/udev/rules.d/99-fuse3.rules %endif %changelog +* Mon Jun 17 2024 Pavel Reichl - 3.10.2-9 +- libfuse: null-terminate buffer in fuse_req_getgroups() + * Wed Feb 07 2024 Pavel Reichl - 3.10.2-8 - Advertise support of FUSE_PARALLEL_DIROPS to kernel - Related: RHEL-24721 diff --git a/master-libfuse-null-terminate-buffer-in-fuse_req_getgroups.patch b/master-libfuse-null-terminate-buffer-in-fuse_req_getgroups.patch new file mode 100644 index 0000000..c778d94 --- /dev/null +++ b/master-libfuse-null-terminate-buffer-in-fuse_req_getgroups.patch @@ -0,0 +1,35 @@ +From 29f621af8d39d5a140da584ff6c1eb00147b5a56 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 13 Jun 2024 13:57:25 +0200 +Subject: [PATCH] libfuse: null-terminate buffer in fuse_req_getgroups() + +After reading the file /proc/$PID/task/$PID/status the buffer wasn't +terminated with a null character. This could theoretically lead to buffer +overrun by the subsequent strstr() call. + +Since the contents of the proc file are guaranteed to contain the pattern +that strstr is looking for, this doesn't happen in normal situations. + +Add null termination for robustness. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Pavel Reichl +--- + lib/fuse_lowlevel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/fuse_lowlevel.c b/lib/fuse_lowlevel.c +index fc46882..74b0424 100644 +--- a/lib/fuse_lowlevel.c ++++ b/lib/fuse_lowlevel.c +@@ -3353,6 +3353,7 @@ retry: + goto retry; + } + ++ buf[ret] = '\0'; + ret = -EIO; + s = strstr(buf, "\nGroups:"); + if (s == NULL) +-- +2.45.2 +