Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 279897 (CVE-2009-2406) - eCryptfs: <2.6.30.4 Check Tag 11 literal data buffer size (CVE-2009-2406)
Summary: eCryptfs: <2.6.30.4 Check Tag 11 literal data buffer size (CVE-2009-2406)
Status: RESOLVED FIXED
Alias: CVE-2009-2406
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://git.kernel.org/?p=linux%2Fkern...
Whiteboard: [linux <2.6.30.4]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-01 11:53 UTC by Kerin Millar
Modified: 2013-09-15 18:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kerin Millar 2009-08-01 11:53:40 UTC
Spotted in the 2.6.30.4 ChangeLog:

commit 4df9205138cd0c610b52eefe1ecdafdaf65cfb12
Author: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Date:   Tue Jul 28 13:57:01 2009 -0500

eCryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)

commit 6352a29305373ae6196491e6d4669f301e26492e upstream.

Tag 11 packets are stored in the metadata section of an eCryptfs file to
store the key signature(s) used to encrypt the file encryption key.
After extracting the packet length field to determine the key signature
length, a check is not performed to see if the length would exceed the
key signature buffer size that was passed into parse_tag_11_packet().

Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.

Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-01 15:07:01 UTC
CVE-2009-2406 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2406):
  Stack-based buffer overflow in the parse_tag_11_packet function in
  fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel
  before 2.6.30.4 allows local users to cause a denial of service
  (system crash) or possibly gain privileges via vectors involving a
  crafted eCryptfs file, related to not ensuring that the key signature
  length in a Tag 11 packet is compatible with the key signature buffer
  size.