]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
eCryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)
authorTyler Hicks <tyhicks@linux.vnet.ibm.com>
Tue, 28 Jul 2009 18:57:01 +0000 (13:57 -0500)
committerGreg Kroah-Hartman <gregkh@suse.de>
Thu, 30 Jul 2009 21:40:35 +0000 (14:40 -0700)
commit 6352a29305373ae6196491e6d4669f301e26492e upstream.

Tag 11 packets are stored in the metadata section of an eCryptfs file to
store the key signature(s) used to encrypt the file encryption key.
After extracting the packet length field to determine the key signature
length, a check is not performed to see if the length would exceed the
key signature buffer size that was passed into parse_tag_11_packet().

Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.

Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
fs/ecryptfs/keystore.c

index af737bb56cb71942ebed99c9bad8eb6a34bdaeb8..5414253d4c970d28f792c2790768341d65597216 100644 (file)
@@ -1449,6 +1449,12 @@ parse_tag_11_packet(unsigned char *data, unsigned char *contents,
                rc = -EINVAL;
                goto out;
        }
+       if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
+               printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
+                      "expected size\n");
+               rc = -EINVAL;
+               goto out;
+       }
        if (data[(*packet_size)++] != 0x62) {
                printk(KERN_WARNING "Unrecognizable packet\n");
                rc = -EINVAL;