rpms/kernel/F-10 linux-2.6-ecryptfs-overflow-fixes.patch, NONE, 1.1 kernel.spec, 1.1395, 1.1396

[Eric Sandeen]

Author: sandeen

Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6963

Modified Files:
	kernel.spec 
Added Files:
	linux-2.6-ecryptfs-overflow-fixes.patch 
Log Message:
* Tue Jul 28 2009 Eric Sandeen <sandeen at redhat.com>
- Fix eCryptfs overflow issues (CVE-2009-2406, CVE-2009-2407)


linux-2.6-ecryptfs-overflow-fixes.patch:
 keystore.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- NEW FILE linux-2.6-ecryptfs-overflow-fixes.patch ---
[PATCH 1/2] eCryptfs: Check Tag 11 literal data buffer size

Tag 11 packets are stored in the metadata section of an eCryptfs file to
store the key signature(s) used to encrypt the file encryption key.
After extracting the packet length field to determine the key signature
length, a check is not performed to see if the length would exceed the
key signature buffer size that was passed into parse_tag_11_packet().

Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.

Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>

[PATCH 2/2] eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size

The parse_tag_3_packet function does not check if the tag 3 packet contains a
encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.

Signed-off-by: Ramon de Carvalho Valle <ramon at risesecurity.org>
[tyhicks at linux.vnet.ibm.com: Added printk newline and changed goto to out_free]
Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
---
 fs/ecryptfs/keystore.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

Index: linux-2.6.29.noarch/fs/ecryptfs/keystore.c
===================================================================
--- linux-2.6.29.noarch.orig/fs/ecryptfs/keystore.c
+++ linux-2.6.29.noarch/fs/ecryptfs/keystore.c
@@ -1304,6 +1304,13 @@ parse_tag_3_packet(struct ecryptfs_crypt
 	}
 	(*new_auth_tok)->session_key.encrypted_key_size =
 		(body_size - (ECRYPTFS_SALT_SIZE + 5));
+	if ((*new_auth_tok)->session_key.encrypted_key_size
+	    > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
+		printk(KERN_WARNING "Tag 3 packet contains key larger "
+		       "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
+		rc = -EINVAL;
+		goto out_free;
+	}
 	if (unlikely(data[(*packet_size)++] != 0x04)) {
 		printk(KERN_WARNING "Unknown version number [%d]\n",
 		       data[(*packet_size) - 1]);
@@ -1450,6 +1457,12 @@ parse_tag_11_packet(unsigned char *data,
 		rc = -EINVAL;
 		goto out;
 	}
+	if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
+		printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
+		       "expected size\n");
+		rc = -EINVAL;
+		goto out;
+	}
 	if (data[(*packet_size)++] != 0x62) {
 		printk(KERN_WARNING "Unrecognizable packet\n");
 		rc = -EINVAL;


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1395
retrieving revision 1.1396
diff -u -p -r1.1395 -r1.1396
--- kernel.spec	23 Jul 2009 15:13:22 -0000	1.1395
+++ kernel.spec	28 Jul 2009 20:04:17 -0000	1.1396
@@ -720,6 +720,7 @@ Patch2922: fs-relatime-make-default.patc
 Patch2950: linux-2.6-kjournald-use-rt-io-priority.patch
 
 Patch3000: linux-2.6-btrfs-unstable-update.patch
+Patch3001: linux-2.6-ecryptfs-overflow-fixes.patch
 
 Patch9000: squashfs3.patch
 Patch9001: squashfs-fixups.patch
@@ -1221,6 +1222,9 @@ ApplyPatch linux-2.6-kjournald-use-rt-io
 # btrfs
 ApplyPatch linux-2.6-btrfs-unstable-update.patch
 
+# eCryptfs
+ApplyPatch linux-2.6-ecryptfs-overflow-fixes.patch
+
 # USB
 
 # ACPI
@@ -1983,6 +1987,9 @@ fi
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Tue Jul 28 2009 Eric Sandeen <sandeen at redhat.com>
+- Fix eCryptfs overflow issues (CVE-2009-2406, CVE-2009-2407)
+
 * Thu Jul 23 2009 Jarod Wilson <jarod at redhat.com>
 - virtio_blk: don't bounce highmem requests, works around a frequent
   oops in kvm guests using virtio block devices (#510304)