Ack: Re: [Natty][SRU][PATCH 0/1] eCryptfs: Extend array bounds for all filename chars

Herton Ronaldo Krzesinski herton.krzesinski at canonical.com
Fri Mar 2 18:05:09 UTC 2012


On Fri, Mar 02, 2012 at 05:44:01PM +0000, Colin King wrote:
> From: Colin Ian King <colin.king at canonical.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/944990
> 
> SRU justification:
> 
> Impact:
> 
> From mhalcrow's original commit message:
>     
>  Characters with ASCII values greater than the size of
>  filename_rev_map[] are valid filename characters.
>  ecryptfs_decode_from_filename() will access kernel memory beyond
>  that array, and ecryptfs_parse_tag_70_packet() will then decrypt
>  those characters. The attacker, using the FNEK of the crafted file,
>  can then re-encrypt the characters to reveal the kernel memory past
>  the end of the filename_rev_map[] array. I expect low security
>  impact since this array is statically allocated in the text area,
>  and the amount of memory past the array that is accessible is
>  limited by the largest possible ASCII filename character.
> 
> Fix:
> 
> Upstream commit 0f751e641a71157aa584c2a2e22fda52b52b8a56
> 
> Note: This patch has already been picked up in Lucid as part of
> the stable updates process, but got overlooked for Natty.
> 
> Tyler Hicks (1):
>   eCryptfs: Extend array bounds for all filename chars
> 
>  fs/ecryptfs/crypto.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> -- 
> 1.7.9
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 

-- 
[]'s
Herton




More information about the kernel-team mailing list