FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 03-05-2012, 11:21 AM
Colin King
 
Default eCryptfs: Sanitize write counts of /dev/ecryptfs

From: Colin Ian King <colin.king@canonical.com>

BugLink: http://bugs.launchpad.net/bugs/947075

SRU justification:

Impact:

A malicious count value specified when writing to /dev/ecryptfs may
result in a very large kernel memory allocation.

Fix:

Upstream commit db10e556518eb9d21ee92ff944530d84349684f4

Test case:

By crafting a ECRYPTFS_MSG_RESPONSE packet and passing a large
write size we can cause a large kernel memory allocation. With
the fix EINVAL is returned. See the example code below:

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

int main(void)
{
unsigned char buf[] = { 103, 0, 0, 0, 0, 220 };
ssize_t written;
int miscdev;

miscdev = open("/dev/ecryptfs", O_WRONLY);
if (miscdev < 0)
return 1;

written = write(miscdev, buf, 1073741824);

close(miscdev);

/* The write should fail */
return written < 0 ? 0 : 2;
}


Note: This patch has already been picked up in Lucid as part of
the stable updates process, but got overlooked for Natty.

Tyler Hicks (1):
eCryptfs: Extend array bounds for all filename chars

fs/ecryptfs/crypto.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

--
1.7.9


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 09:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org