VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 21, 2012· Updated Apr 29, 2026

CVE-2010-4650

CVE-2010-4650

Description

Buffer overflow in the fuse_do_ioctl function in fs/fuse/file.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging the ability to operate a CUSE server.

Affected products

4
  • Linux/Kernel4 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: <=2.6.36.4
    • cpe:2.3:o:linux:linux_kernel:2.6.36.1:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.36.2:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.36.3:*:*:*:*:*:*:*

Patches

1
7572777eef78

fuse: verify ioctl retries

https://github.com/torvalds/linuxMiklos SzerediNov 30, 2010via nvd-ref
commit
1 file changed · +22 0
  • fs/fuse/file.c+22 0 modified
    @@ -1666,6 +1666,20 @@ static int fuse_copy_ioctl_iovec(struct iovec *dst, void *src,
 	return 0;
 }
 
+/* Make sure iov_length() won't overflow */
+static int fuse_verify_ioctl_iov(struct iovec *iov, size_t count)
+{
+	size_t n;
+	u32 max = FUSE_MAX_PAGES_PER_REQ << PAGE_SHIFT;
+
+	for (n = 0; n < count; n++) {
+		if (iov->iov_len > (size_t) max)
+			return -ENOMEM;
+		max -= iov->iov_len;
+	}
+	return 0;
+}
+
 /*
  * For ioctls, there is no generic way to determine how much memory
  * needs to be read and/or written.  Furthermore, ioctls are allowed
@@ -1858,6 +1872,14 @@ long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg,
 		in_iov = page_address(iov_page);
 		out_iov = in_iov + in_iovs;
 
+		err = fuse_verify_ioctl_iov(in_iov, in_iovs);
+		if (err)
+			goto out;
+
+		err = fuse_verify_ioctl_iov(out_iov, out_iovs);
+		if (err)
+			goto out;
+
 		goto retry;
 	}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.