rpms/kernel/devel linux-2.6-ecryptfs-overflow-fixes.patch, NONE, 1.1 kernel.spec, 1.1665, 1.1666

[Eric Sandeen]

Author: sandeen

Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25729

Modified Files:
	kernel.spec 
Added Files:
	linux-2.6-ecryptfs-overflow-fixes.patch 
Log Message:
* Tue Jul 28 2009 Eric Sandeen <sandeen at redhat.com> 2.6.31-0.102.rc4.git2
- Fix eCryptfs overflow issues (CVE-2009-2406, CVE-2009-2407)


linux-2.6-ecryptfs-overflow-fixes.patch:
 keystore.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- NEW FILE linux-2.6-ecryptfs-overflow-fixes.patch ---
[PATCH 1/2] eCryptfs: Check Tag 11 literal data buffer size

Tag 11 packets are stored in the metadata section of an eCryptfs file to
store the key signature(s) used to encrypt the file encryption key.
After extracting the packet length field to determine the key signature
length, a check is not performed to see if the length would exceed the
key signature buffer size that was passed into parse_tag_11_packet().

Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.

Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>

[PATCH 2/2] eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size

The parse_tag_3_packet function does not check if the tag 3 packet contains a
encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.

Signed-off-by: Ramon de Carvalho Valle <ramon at risesecurity.org>
[tyhicks at linux.vnet.ibm.com: Added printk newline and changed goto to out_free]
Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
---
 fs/ecryptfs/keystore.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

Index: linux-2.6.30.noarch/fs/ecryptfs/keystore.c
===================================================================
--- linux-2.6.30.noarch.orig/fs/ecryptfs/keystore.c
+++ linux-2.6.30.noarch/fs/ecryptfs/keystore.c
@@ -1303,6 +1303,13 @@ parse_tag_3_packet(struct ecryptfs_crypt
 	}
 	(*new_auth_tok)->session_key.encrypted_key_size =
 		(body_size - (ECRYPTFS_SALT_SIZE + 5));
+	if ((*new_auth_tok)->session_key.encrypted_key_size
+	    > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
+		printk(KERN_WARNING "Tag 3 packet contains key larger "
+		       "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
+		rc = -EINVAL;
+		goto out_free;
+	}
 	if (unlikely(data[(*packet_size)++] != 0x04)) {
 		printk(KERN_WARNING "Unknown version number [%d]\n",
 		       data[(*packet_size) - 1]);
@@ -1455,6 +1462,12 @@ parse_tag_11_packet(unsigned char *data,
 		rc = -EINVAL;
 		goto out;
 	}
+	if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
+		printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
+		       "expected size\n");
+		rc = -EINVAL;
+		goto out;
+	}
 	if (data[(*packet_size)++] != 0x62) {
 		printk(KERN_WARNING "Unrecognizable packet\n");
 		rc = -EINVAL;


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.1665
retrieving revision 1.1666
diff -u -p -r1.1665 -r1.1666
--- kernel.spec	28 Jul 2009 16:03:52 -0000	1.1665
+++ kernel.spec	28 Jul 2009 19:35:14 -0000	1.1666
@@ -607,6 +607,8 @@ Patch150: linux-2.6.29-sparc-IOC_TYPECHE
 
 Patch160: linux-2.6-execshield.patch
 
+Patch200: linux-2.6-ecryptfs-overflow-fixes.patch
+
 Patch250: linux-2.6-debug-sizeof-structs.patch
 Patch260: linux-2.6-debug-nmi-timeout.patch
 Patch270: linux-2.6-debug-taint-vm.patch
@@ -1151,6 +1153,9 @@ ApplyPatch linux-2.6-execshield.patch
 
 # btrfs
 
+# eCryptfs
+ApplyPatch linux-2.6-ecryptfs-overflow-fixes.patch
+
 # NFSv4
 ApplyPatch linux-2.6-nfsd4-proots.patch
 
@@ -1898,8 +1903,8 @@ fi
 # and build.
 
 %changelog
-* Tue Jul 28 2009 Ben Skeggs <bskeggs at redhat.com>
-- drm-nouveau.patch: tile shared fb area on nv50
+* Tue Jul 28 2009 Eric Sandeen <sandeen at redhat.com> 2.6.31-0.102.rc4.git2
+- Fix eCryptfs overflow issues (CVE-2009-2406, CVE-2009-2407)
 
 * Tue Jul 28 2009 Kyle McMartin <kyle at redhat.com> 2.6.31-0.101.rc4.git2
 - 2.6.31-rc4-git2