'patch ecryptfs-check-tag-11-literal-data-buffer-size.patch added to 2.6.30-stable tree'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-stable-commits
Subject:    patch ecryptfs-check-tag-11-literal-data-buffer-size.patch added to 2.6.30-stable tree
From:       <gregkh () suse ! de>
Date:       2009-07-28 22:42:16
Message-ID: 20090728224900.1E8F249108 () coco ! kroah ! org
[Download RAW message or body]


This is a note to let you know that we have just queued up the patch titled

    Subject: eCryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)

to the 2.6.30-stable tree.  Its filename is

    ecryptfs-check-tag-11-literal-data-buffer-size.patch

A git repo of this tree can be found at 
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary


From 6352a29305373ae6196491e6d4669f301e26492e Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Date: Tue, 28 Jul 2009 13:57:01 -0500
Subject: eCryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)

From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>

commit 6352a29305373ae6196491e6d4669f301e26492e upstream.

Tag 11 packets are stored in the metadata section of an eCryptfs file to
store the key signature(s) used to encrypt the file encryption key.
After extracting the packet length field to determine the key signature
length, a check is not performed to see if the length would exceed the
key signature buffer size that was passed into parse_tag_11_packet().

Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.

Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/ecryptfs/keystore.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -1449,6 +1449,12 @@ parse_tag_11_packet(unsigned char *data,
 		rc = -EINVAL;
 		goto out;
 	}
+	if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
+		printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
+		       "expected size\n");
+		rc = -EINVAL;
+		goto out;
+	}
 	if (data[(*packet_size)++] != 0x62) {
 		printk(KERN_WARNING "Unrecognizable packet\n");
 		rc = -EINVAL;


Patches currently in stable-queue which might be from tyhicks@linux.vnet.ibm.com are

queue-2.6.30/ecryptfs-check-tag-11-literal-data-buffer-size.patch
queue-2.6.30/ecryptfs-parse_tag_3_packet-check-tag-3-packet-encrypted-key-size.patch
--
To unsubscribe from this list: send the line "unsubscribe stable-commits" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic