From: Greg Kroah-Hartman Date: Tue, 28 Jul 2009 22:41:54 +0000 (-0700) Subject: more .30 patches X-Git-Tag: v2.6.30.4~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=30d22c66b067fda491ca9b7cf81ab752542dc2c3;p=thirdparty%2Fkernel%2Fstable-queue.git more .30 patches --- diff --git a/queue-2.6.30/ecryptfs-check-tag-11-literal-data-buffer-size.patch b/queue-2.6.30/ecryptfs-check-tag-11-literal-data-buffer-size.patch new file mode 100644 index 00000000000..5c8250a98fe --- /dev/null +++ b/queue-2.6.30/ecryptfs-check-tag-11-literal-data-buffer-size.patch @@ -0,0 +1,40 @@ +From 6352a29305373ae6196491e6d4669f301e26492e Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Tue, 28 Jul 2009 13:57:01 -0500 +Subject: eCryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406) + +From: Tyler Hicks + +commit 6352a29305373ae6196491e6d4669f301e26492e upstream. + +Tag 11 packets are stored in the metadata section of an eCryptfs file to +store the key signature(s) used to encrypt the file encryption key. +After extracting the packet length field to determine the key signature +length, a check is not performed to see if the length would exceed the +key signature buffer size that was passed into parse_tag_11_packet(). + +Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer. + +Signed-off-by: Tyler Hicks +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/keystore.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ecryptfs/keystore.c ++++ b/fs/ecryptfs/keystore.c +@@ -1449,6 +1449,12 @@ parse_tag_11_packet(unsigned char *data, + rc = -EINVAL; + goto out; + } ++ if (unlikely((*tag_11_contents_size) > max_contents_bytes)) { ++ printk(KERN_ERR "Literal data section in tag 11 packet exceeds " ++ "expected size\n"); ++ rc = -EINVAL; ++ goto out; ++ } + if (data[(*packet_size)++] != 0x62) { + printk(KERN_WARNING "Unrecognizable packet\n"); + rc = -EINVAL; diff --git a/queue-2.6.30/ecryptfs-parse_tag_3_packet-check-tag-3-packet-encrypted-key-size.patch b/queue-2.6.30/ecryptfs-parse_tag_3_packet-check-tag-3-packet-encrypted-key-size.patch new file mode 100644 index 00000000000..74a7ee76899 --- /dev/null +++ b/queue-2.6.30/ecryptfs-parse_tag_3_packet-check-tag-3-packet-encrypted-key-size.patch @@ -0,0 +1,38 @@ +From f151cd2c54ddc7714e2f740681350476cda03a28 Mon Sep 17 00:00:00 2001 +From: Ramon de Carvalho Valle +Date: Tue, 28 Jul 2009 13:58:22 -0500 +Subject: eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size (CVE-2009-2407) + +From: Ramon de Carvalho Valle + +commit f151cd2c54ddc7714e2f740681350476cda03a28 upstream. + +The parse_tag_3_packet function does not check if the tag 3 packet contains a +encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES. + +Signed-off-by: Ramon de Carvalho Valle +[tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free] +Signed-off-by: Tyler Hicks +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/keystore.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ecryptfs/keystore.c ++++ b/fs/ecryptfs/keystore.c +@@ -1303,6 +1303,13 @@ parse_tag_3_packet(struct ecryptfs_crypt + } + (*new_auth_tok)->session_key.encrypted_key_size = + (body_size - (ECRYPTFS_SALT_SIZE + 5)); ++ if ((*new_auth_tok)->session_key.encrypted_key_size ++ > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { ++ printk(KERN_WARNING "Tag 3 packet contains key larger " ++ "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n"); ++ rc = -EINVAL; ++ goto out_free; ++ } + if (unlikely(data[(*packet_size)++] != 0x04)) { + printk(KERN_WARNING "Unknown version number [%d]\n", + data[(*packet_size) - 1]); diff --git a/queue-2.6.30/series b/queue-2.6.30/series index ca19e8825e1..ccd5d5d1ab3 100644 --- a/queue-2.6.30/series +++ b/queue-2.6.30/series @@ -67,3 +67,5 @@ netdev-restore-mtu-change-operation.patch input-wistron_btns-recognize-maxdata-pro-7000-notebooks.patch libata-fix-follow-up-srst-failure-path.patch nommu-provide-mmap_min_addr-definition.patch +ecryptfs-check-tag-11-literal-data-buffer-size.patch +ecryptfs-parse_tag_3_packet-check-tag-3-packet-encrypted-key-size.patch