rpms/kernel/F-10 linux-2.6-ecryptfs-overflow-fixes.patch, NONE, 1.1 kernel.spec, 1.1395, 1.1396
Eric Sandeen
sandeen at fedoraproject.org
Tue Jul 28 20:04:18 UTC 2009
Author: sandeen
Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6963
Modified Files:
kernel.spec
Added Files:
linux-2.6-ecryptfs-overflow-fixes.patch
Log Message:
* Tue Jul 28 2009 Eric Sandeen <sandeen at redhat.com>
- Fix eCryptfs overflow issues (CVE-2009-2406, CVE-2009-2407)
linux-2.6-ecryptfs-overflow-fixes.patch:
keystore.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- NEW FILE linux-2.6-ecryptfs-overflow-fixes.patch ---
[PATCH 1/2] eCryptfs: Check Tag 11 literal data buffer size
Tag 11 packets are stored in the metadata section of an eCryptfs file to
store the key signature(s) used to encrypt the file encryption key.
After extracting the packet length field to determine the key signature
length, a check is not performed to see if the length would exceed the
key signature buffer size that was passed into parse_tag_11_packet().
Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.
Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
[PATCH 2/2] eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size
The parse_tag_3_packet function does not check if the tag 3 packet contains a
encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.
Signed-off-by: Ramon de Carvalho Valle <ramon at risesecurity.org>
[tyhicks at linux.vnet.ibm.com: Added printk newline and changed goto to out_free]
Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
---
fs/ecryptfs/keystore.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
Index: linux-2.6.29.noarch/fs/ecryptfs/keystore.c
===================================================================
--- linux-2.6.29.noarch.orig/fs/ecryptfs/keystore.c
+++ linux-2.6.29.noarch/fs/ecryptfs/keystore.c
@@ -1304,6 +1304,13 @@ parse_tag_3_packet(struct ecryptfs_crypt
}
(*new_auth_tok)->session_key.encrypted_key_size =
(body_size - (ECRYPTFS_SALT_SIZE + 5));
+ if ((*new_auth_tok)->session_key.encrypted_key_size
+ > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
+ printk(KERN_WARNING "Tag 3 packet contains key larger "
+ "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
+ rc = -EINVAL;
+ goto out_free;
+ }
if (unlikely(data[(*packet_size)++] != 0x04)) {
printk(KERN_WARNING "Unknown version number [%d]\n",
data[(*packet_size) - 1]);
@@ -1450,6 +1457,12 @@ parse_tag_11_packet(unsigned char *data,
rc = -EINVAL;
goto out;
}
+ if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
+ printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
+ "expected size\n");
+ rc = -EINVAL;
+ goto out;
+ }
if (data[(*packet_size)++] != 0x62) {
printk(KERN_WARNING "Unrecognizable packet\n");
rc = -EINVAL;
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1395
retrieving revision 1.1396
diff -u -p -r1.1395 -r1.1396
--- kernel.spec 23 Jul 2009 15:13:22 -0000 1.1395
+++ kernel.spec 28 Jul 2009 20:04:17 -0000 1.1396
@@ -720,6 +720,7 @@ Patch2922: fs-relatime-make-default.patc
Patch2950: linux-2.6-kjournald-use-rt-io-priority.patch
Patch3000: linux-2.6-btrfs-unstable-update.patch
+Patch3001: linux-2.6-ecryptfs-overflow-fixes.patch
Patch9000: squashfs3.patch
Patch9001: squashfs-fixups.patch
@@ -1221,6 +1222,9 @@ ApplyPatch linux-2.6-kjournald-use-rt-io
# btrfs
ApplyPatch linux-2.6-btrfs-unstable-update.patch
+# eCryptfs
+ApplyPatch linux-2.6-ecryptfs-overflow-fixes.patch
+
# USB
# ACPI
@@ -1983,6 +1987,9 @@ fi
%kernel_variant_files -k vmlinux %{with_kdump} kdump
%changelog
+* Tue Jul 28 2009 Eric Sandeen <sandeen at redhat.com>
+- Fix eCryptfs overflow issues (CVE-2009-2406, CVE-2009-2407)
+
* Thu Jul 23 2009 Jarod Wilson <jarod at redhat.com>
- virtio_blk: don't bounce highmem requests, works around a frequent
oops in kvm guests using virtio block devices (#510304)
More information about the fedora-extras-commits
mailing list