libfuse NULL Pointer Dereference and Memory Leak Vulnerability in io_uring Queue Initialization

A vulnerability in libfuse, specifically in versions 3.18.0 prior to 3.18.2, has been identified. This issue involves a NULL pointer dereference and a memory leak in the function 'fuse_uring_init_queue', which is part of the io_uring transport. The vulnerability allows a local user to crash the FUSE daemon or cause resource exhaustion. The problem arises because the function 'numa_alloc_local' is called to allocate memory for request headers and payloads without checking if the allocation was successful. If the allocation fails, the code continues to execute with NULL pointers, leading to a crash when the io_uring queue is used. Additionally, when 'fuse_uring_register_queue' fails, the function incorrectly reports a success, causing leaked memory from the failed NUMA allocations. This vulnerability has been confirmed with a proof of concept that utilizes AddressSanitizer and LeakSanitizer.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition by causing the FUSE daemon to crash or by exhausting system resources through leaked memory.

Remediation

Users can upgrade to libfuse version 3.18.2 or later to address this vulnerability.