From: Eric Sandeen <sandeen@redhat.com> Date: Wed, 22 Jul 2009 15:44:10 -0500 Subject: [fs] ecryptfs: check tag 3 packet encrypted key size Message-id: 4A677A1A.7030305@redhat.com O-Subject: [kernel team] [PATCH RHEL5.4] ecryptfs: check tag 3 packet encrypted key size Bugzilla: 512887 RH-Acked-by: David Miller <davem@redhat.com> RH-Acked-by: David Howells <dhowells@redhat.com> RH-Acked-by: Thomas Graf <tgraf@redhat.com> CVE: CVE-2009-2407 RH-Acked-by: Alexander Viro <aviro@redhat.com> This is another case of using a value from disk as a size argument to a memcpy. This one is probably less severe as it is overwriting a kmem_zalloc'd area rather than something on the stack. Tested again w/ an image & prepared file sent by Tyler Hicks, the upstream maintainer Patch from the reporter, via Tyler: The parse_tag_3_packet function does not check if the tag 3 packet contains a encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES. Signed-off-by: Ramon de Carvalho Valle <ramon@risesecurity.org> Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index 47986d6..0e5bbc0 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c @@ -730,6 +730,13 @@ parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat, } (*new_auth_tok)->session_key.encrypted_key_size = (body_size - (ECRYPTFS_SALT_SIZE + 5)); + if ((*new_auth_tok)->session_key.encrypted_key_size + > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { + printk(KERN_WARNING "Tag 3 packet contains key larger " + "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n"); + rc = -EINVAL; + goto out_free; + } if (unlikely(data[(*packet_size)++] != 0x04)) { printk(KERN_WARNING "Unknown version number [%d]\n", data[(*packet_size) - 1]);