--- /dev/null
+From 6352a29305373ae6196491e6d4669f301e26492e Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Date: Tue, 28 Jul 2009 13:57:01 -0500
+Subject: eCryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)
+
+From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+
+commit 6352a29305373ae6196491e6d4669f301e26492e upstream.
+
+Tag 11 packets are stored in the metadata section of an eCryptfs file to
+store the key signature(s) used to encrypt the file encryption key.
+After extracting the packet length field to determine the key signature
+length, a check is not performed to see if the length would exceed the
+key signature buffer size that was passed into parse_tag_11_packet().
+
+Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.
+
+Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ecryptfs/keystore.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -1449,6 +1449,12 @@ parse_tag_11_packet(unsigned char *data,
+ rc = -EINVAL;
+ goto out;
+ }
++ if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
++ printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
++ "expected size\n");
++ rc = -EINVAL;
++ goto out;
++ }
+ if (data[(*packet_size)++] != 0x62) {
+ printk(KERN_WARNING "Unrecognizable packet\n");
+ rc = -EINVAL;
--- /dev/null
+From f151cd2c54ddc7714e2f740681350476cda03a28 Mon Sep 17 00:00:00 2001
+From: Ramon de Carvalho Valle <ramon@risesecurity.org>
+Date: Tue, 28 Jul 2009 13:58:22 -0500
+Subject: eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size (CVE-2009-2407)
+
+From: Ramon de Carvalho Valle <ramon@risesecurity.org>
+
+commit f151cd2c54ddc7714e2f740681350476cda03a28 upstream.
+
+The parse_tag_3_packet function does not check if the tag 3 packet contains a
+encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.
+
+Signed-off-by: Ramon de Carvalho Valle <ramon@risesecurity.org>
+[tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free]
+Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ecryptfs/keystore.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -1303,6 +1303,13 @@ parse_tag_3_packet(struct ecryptfs_crypt
+ }
+ (*new_auth_tok)->session_key.encrypted_key_size =
+ (body_size - (ECRYPTFS_SALT_SIZE + 5));
++ if ((*new_auth_tok)->session_key.encrypted_key_size
++ > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
++ printk(KERN_WARNING "Tag 3 packet contains key larger "
++ "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
++ rc = -EINVAL;
++ goto out_free;
++ }
+ if (unlikely(data[(*packet_size)++] != 0x04)) {
+ printk(KERN_WARNING "Unknown version number [%d]\n",
+ data[(*packet_size) - 1]);
input-wistron_btns-recognize-maxdata-pro-7000-notebooks.patch
libata-fix-follow-up-srst-failure-path.patch
nommu-provide-mmap_min_addr-definition.patch
+ecryptfs-check-tag-11-literal-data-buffer-size.patch
+ecryptfs-parse_tag_3_packet-check-tag-3-packet-encrypted-key-size.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
