ACK: [Natty][SRU][PATCH 0/1] eCryptfs: Sanitize write counts of /dev/ecryptfs

Tim Gardner rtg.canonical at gmail.com
Mon Mar 5 13:23:40 UTC 2012


On 03/05/2012 05:21 AM, Colin King wrote:
> From: Colin Ian King<colin.king at canonical.com>
>
> BugLink: http://bugs.launchpad.net/bugs/947075
>
> SRU justification:
>
> Impact:
>
> A malicious count value specified when writing to /dev/ecryptfs may
> result in a very large kernel memory allocation.
>
> Fix:
>
> Upstream commit db10e556518eb9d21ee92ff944530d84349684f4
>
> Test case:
>
> By crafting a ECRYPTFS_MSG_RESPONSE packet and passing a large
> write size we can cause a large kernel memory allocation. With
> the fix EINVAL is returned. See the example code below:
>
> #include<sys/types.h>
> #include<sys/stat.h>
> #include<fcntl.h>
> #include<unistd.h>
>
> int main(void)
> {
>          unsigned char buf[] = { 103, 0, 0, 0, 0, 220 };
>          ssize_t written;
>          int miscdev;
>
>          miscdev = open("/dev/ecryptfs", O_WRONLY);
>          if (miscdev<  0)
>                  return 1;
>
>          written = write(miscdev, buf, 1073741824);
>
>          close(miscdev);
>
>          /* The write should fail */
>          return written<  0 ? 0 : 2;
> }
>
>
> Note: This patch has already been picked up in Lucid as part of
> the stable updates process, but got overlooked for Natty.
>
> Tyler Hicks (1):
>    eCryptfs: Extend array bounds for all filename chars
>
>   fs/ecryptfs/crypto.c |    4 ++--
>   1 files changed, 2 insertions(+), 2 deletions(-)
>


-- 
Tim Gardner tim.gardner at canonical.com




More information about the kernel-team mailing list