releases/2.6.30.4/ecryptfs-parse_tag_3_packet-check-tag-3-packet-encrypted-key-size.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From f151cd2c54ddc7714e2f740681350476cda03a28 Mon Sep 17 00:00:00 2001
 From: Ramon de Carvalho Valle <ramon@risesecurity.org>
 Date: Tue, 28 Jul 2009 13:58:22 -0500
 Subject: eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size (CVE-2009-2407)

 From: Ramon de Carvalho Valle <ramon@risesecurity.org>

 commit f151cd2c54ddc7714e2f740681350476cda03a28 upstream.

 The parse_tag_3_packet function does not check if the tag 3 packet contains a
 encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.

 Signed-off-by: Ramon de Carvalho Valle <ramon@risesecurity.org>
 [tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free]
 Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  fs/ecryptfs/keystore.c |    7 +++++++
  1 file changed, 7 insertions(+)

 --- a/fs/ecryptfs/keystore.c
 +++ b/fs/ecryptfs/keystore.c
 @@ -1303,6 +1303,13 @@ parse_tag_3_packet(struct ecryptfs_crypt
  	}
  	(*new_auth_tok)->session_key.encrypted_key_size =
  		(body_size - (ECRYPTFS_SALT_SIZE + 5));
 +	if ((*new_auth_tok)->session_key.encrypted_key_size
 +	    > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
 +		printk(KERN_WARNING "Tag 3 packet contains key larger "
 +		       "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
 +		rc = -EINVAL;
 +		goto out_free;
 +	}
  	if (unlikely(data[(*packet_size)++] != 0x04)) {
  		printk(KERN_WARNING "Unknown version number [%d]\n",
  		       data[(*packet_size) - 1]);
	From f151cd2c54ddc7714e2f740681350476cda03a28 Mon Sep 17 00:00:00 2001
	From: Ramon de Carvalho Valle <ramon@risesecurity.org>
	Date: Tue, 28 Jul 2009 13:58:22 -0500
	Subject: eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size (CVE-2009-2407)

	From: Ramon de Carvalho Valle <ramon@risesecurity.org>

	commit f151cd2c54ddc7714e2f740681350476cda03a28 upstream.

	The parse_tag_3_packet function does not check if the tag 3 packet contains a
	encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.

	Signed-off-by: Ramon de Carvalho Valle <ramon@risesecurity.org>
	[tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free]
	Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	fs/ecryptfs/keystore.c \| 7 +++++++
	1 file changed, 7 insertions(+)

	--- a/fs/ecryptfs/keystore.c
	+++ b/fs/ecryptfs/keystore.c
	@@ -1303,6 +1303,13 @@ parse_tag_3_packet(struct ecryptfs_crypt
	}
	(*new_auth_tok)->session_key.encrypted_key_size =
	(body_size - (ECRYPTFS_SALT_SIZE + 5));
	+ if ((*new_auth_tok)->session_key.encrypted_key_size
	+ > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
	+ printk(KERN_WARNING "Tag 3 packet contains key larger "
	+ "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
	+ rc = -EINVAL;
	+ goto out_free;
	+ }
	if (unlikely(data[(*packet_size)++] != 0x04)) {
	printk(KERN_WARNING "Unknown version number [%d]\n",
	data[(*packet_size) - 1]);