| From f151cd2c54ddc7714e2f740681350476cda03a28 Mon Sep 17 00:00:00 2001 |
| From: Ramon de Carvalho Valle <ramon@risesecurity.org> |
| Date: Tue, 28 Jul 2009 13:58:22 -0500 |
| Subject: eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size (CVE-2009-2407) |
| |
| From: Ramon de Carvalho Valle <ramon@risesecurity.org> |
| |
| commit f151cd2c54ddc7714e2f740681350476cda03a28 upstream. |
| |
| The parse_tag_3_packet function does not check if the tag 3 packet contains a |
| encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES. |
| |
| Signed-off-by: Ramon de Carvalho Valle <ramon@risesecurity.org> |
| [tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free] |
| Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| fs/ecryptfs/keystore.c | 7 +++++++ |
| 1 file changed, 7 insertions(+) |
| |
| --- a/fs/ecryptfs/keystore.c |
| +++ b/fs/ecryptfs/keystore.c |
| @@ -1303,6 +1303,13 @@ parse_tag_3_packet(struct ecryptfs_crypt |
| } |
| (*new_auth_tok)->session_key.encrypted_key_size = |
| (body_size - (ECRYPTFS_SALT_SIZE + 5)); |
| + if ((*new_auth_tok)->session_key.encrypted_key_size |
| + > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { |
| + printk(KERN_WARNING "Tag 3 packet contains key larger " |
| + "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n"); |
| + rc = -EINVAL; |
| + goto out_free; |
| + } |
| if (unlikely(data[(*packet_size)++] != 0x04)) { |
| printk(KERN_WARNING "Unknown version number [%d]\n", |
| data[(*packet_size) - 1]); |