commit 6352a29305373ae6196491e6d4669f301e26492e · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

eCryptfs: Check Tag 11 literal data buffer size

Tag 11 packets are stored in the metadata section of an eCryptfs file to
store the key signature(s) used to encrypt the file encryption key.
After extracting the packet length field to determine the key signature
length, a check is not performed to see if the length would exceed the
key signature buffer size that was passed into parse_tag_11_packet().

Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.

Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Cc: stable@kernel.org (2.6.27 and 30)
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by Tyler Hicks and committed by Linus Torvalds 16 years ago 6352a293 4733fd32

1 changed file

expand all

unified split

ecryptfs

keystore.c

fs/ecryptfs/keystore.c

··· 1449 rc = -EINVAL; 1450 goto out; 1451 } 1452 if (data[(*packet_size)++] != 0x62) { 1453 printk(KERN_WARNING "Unrecognizable packet\n"); 1454 rc = -EINVAL;

··· 1449 rc = -EINVAL; 1450 goto out; 1451 } 1452 + if (unlikely((*tag_11_contents_size) > max_contents_bytes)) { 1453 + printk(KERN_ERR "Literal data section in tag 11 packet exceeds " 1454 + "expected size\n"); 1455 + rc = -EINVAL; 1456 + goto out; 1457 + } 1458 if (data[(*packet_size)++] != 0x62) { 1459 printk(KERN_WARNING "Unrecognizable packet\n"); 1460 rc = -EINVAL;