| From 6352a29305373ae6196491e6d4669f301e26492e Mon Sep 17 00:00:00 2001 |
| From: Tyler Hicks <tyhicks@linux.vnet.ibm.com> |
| Date: Tue, 28 Jul 2009 13:57:01 -0500 |
| Subject: eCryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406) |
| |
| From: Tyler Hicks <tyhicks@linux.vnet.ibm.com> |
| |
| commit 6352a29305373ae6196491e6d4669f301e26492e upstream. |
| |
| Tag 11 packets are stored in the metadata section of an eCryptfs file to |
| store the key signature(s) used to encrypt the file encryption key. |
| After extracting the packet length field to determine the key signature |
| length, a check is not performed to see if the length would exceed the |
| key signature buffer size that was passed into parse_tag_11_packet(). |
| |
| Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer. |
| |
| Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| fs/ecryptfs/keystore.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/fs/ecryptfs/keystore.c |
| +++ b/fs/ecryptfs/keystore.c |
| @@ -1449,6 +1449,12 @@ parse_tag_11_packet(unsigned char *data, |
| rc = -EINVAL; |
| goto out; |
| } |
| + if (unlikely((*tag_11_contents_size) > max_contents_bytes)) { |
| + printk(KERN_ERR "Literal data section in tag 11 packet exceeds " |
| + "expected size\n"); |
| + rc = -EINVAL; |
| + goto out; |
| + } |
| if (data[(*packet_size)++] != 0x62) { |
| printk(KERN_WARNING "Unrecognizable packet\n"); |
| rc = -EINVAL; |