system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-09-22 03:55:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

eCryptfs: Check Tag 11 literal data buffer size

Browse source 
Tag 11 packets are stored in the metadata section of an eCryptfs file to
store the key signature(s) used to encrypt the file encryption key.
After extracting the packet length field to determine the key signature
length, a check is not performed to see if the length would exceed the
key signature buffer size that was passed into parse_tag_11_packet().

Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.

Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Cc: stable@kernel.org (2.6.27 and 30)
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Tyler Hicks 2009-07-28 13:57:01 -05:00 committed by Linus Torvalds
parent 4733fd328f
commit 6352a29305
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
fs/ecryptfs/keystore.c
View file

@ -1449,6 +1449,12 @@ parse_tag_11_packet(unsigned char *data, unsigned char *contents,
rc = -EINVAL;
goto out;
}
if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
"expected size\n");
rc = -EINVAL;
goto out;
}
if (data[(*packet_size)++] != 0x62) {
printk(KERN_WARNING "Unrecognizable packet\n");
rc = -EINVAL;