ecryptfs: Sanitize write counts of /dev/ecryptfs

Bug #947075 reported by Colin Ian King
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Colin Ian King
Natty
Fix Released
Medium
Colin Ian King

Bug Description

SRU justification:

Impact:

A malicious count value specified when writing to /dev/ecryptfs may
result in a very large kernel memory allocation.

Fix:

Upstream commit db10e556518eb9d21ee92ff944530d84349684f4

Test case:

By crafting a ECRYPTFS_MSG_RESPONSE packet and passing a large
write size we can cause a large kernel memory allocation. With
the fix EINVAL is returned and the huge allocation does not occur.
See the example code below:

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

int main(void)
{
        unsigned char buf[] = { 103, 0, 0, 0, 0, 220 };
        ssize_t written;
        int miscdev;

        miscdev = open("/dev/ecryptfs", O_WRONLY);
        if (miscdev < 0)
                return 1;

        written = write(miscdev, buf, 1073741824);

        close(miscdev);

        /* The write should fail */
        return written < 0 ? 0 : 2;
}

Note: This patch has already been picked up in Lucid as part of
the stable updates process, but got overlooked for Natty.

Changed in linux (Ubuntu):
assignee: nobody → Colin King (colin-king)
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 947075

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Herton R. Krzesinski (herton) wrote :

This bug is awaiting verification that the kernel for Natty in -proposed solves the problem (2.6.38-13.57). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-natty' to 'verification-done-natty'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Changed in linux (Ubuntu):
status: Incomplete → Fix Released
importance: Undecided → Medium
Changed in linux (Ubuntu Natty):
status: New → Fix Committed
importance: Undecided → Medium
assignee: nobody → Colin King (colin-king)
tags: added: verification-needed-natty
tags: added: verification-done-natty
removed: verification-needed-natty
Revision history for this message
Colin Ian King (colin-king) wrote :

Tested and verified OK on -proposed Natty i386.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.38-13.57

---------------
linux (2.6.38-13.57) natty-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #947254

  [ Upstream Kernel Changes ]

  * KVM: Device assignment permission checks
    - LP: #897812
    - CVE-2011-4347
  * HID: hid-apple: add device ID of another wireless aluminium
    - LP: #942184
  * eCryptfs: Extend array bounds for all filename chars
    - LP: #944990
  * eCryptfs: Remove extra d_delete in ecryptfs_rmdir
    - LP: #723518
  * eCryptfs: Clear i_nlink in rmdir
    - LP: #723518
  * ipc/sem.c: fix race with concurrent semtimedop() timeouts and IPC_RMID
    - LP: #943815
  * eCryptfs: Sanitize write counts of /dev/ecryptfs
    - LP: #947075
  * eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    - LP: #947143
 -- Herton Ronaldo Krzesinski <email address hidden> Mon, 05 Mar 2012 13:28:11 -0300

Changed in linux (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.