ecryptfs: Extend array bounds for all filename chars

Bug #944990 reported by Colin Ian King on 2012-03-02
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Colin Ian King
Colin Ian King
Colin Ian King

Bug Description

SRU justification:


From mhalcrow's original commit message:

 Characters with ASCII values greater than the size of
 filename_rev_map[] are valid filename characters.
 ecryptfs_decode_from_filename() will access kernel memory beyond
 that array, and ecryptfs_parse_tag_70_packet() will then decrypt
 those characters. The attacker, using the FNEK of the crafted file,
 can then re-encrypt the characters to reveal the kernel memory past
 the end of the filename_rev_map[] array. I expect low security
 impact since this array is statically allocated in the text area,
 and the amount of memory past the array that is accessible is
 limited by the largest possible ASCII filename character.


Upstream commit 0f751e641a71157aa584c2a2e22fda52b52b8a56

Note: This patch has already been picked up in Lucid as part of
the stable updates process, but got overlooked for Natty.

Changed in linux (Ubuntu):
assignee: nobody → Colin King (colin-king)
importance: Undecided → Medium
status: New → In Progress
Tim Gardner (timg-tpi) on 2012-03-02
Changed in linux (Ubuntu Precise):
status: In Progress → Fix Released
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Changed in linux (Ubuntu Natty):
status: New → Fix Committed
Herton R. Krzesinski (herton) wrote :

This bug is awaiting verification that the kernel for Natty in -proposed solves the problem (2.6.38-13.57). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-natty' to 'verification-done-natty'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-natty
Changed in linux (Ubuntu Natty):
importance: Undecided → Medium
assignee: nobody → Colin King (colin-king)
Tim Gardner (timg-tpi) wrote :

Since this is an upstream stable patch that has been applied to kernel revisions older and newer then 2.6.38, I think its safe to mark this as verified.

tags: added: verification-done-natty
removed: verification-needed-natty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.38-13.57

linux (2.6.38-13.57) natty-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #947254

  [ Upstream Kernel Changes ]

  * KVM: Device assignment permission checks
    - LP: #897812
    - CVE-2011-4347
  * HID: hid-apple: add device ID of another wireless aluminium
    - LP: #942184
  * eCryptfs: Extend array bounds for all filename chars
    - LP: #944990
  * eCryptfs: Remove extra d_delete in ecryptfs_rmdir
    - LP: #723518
  * eCryptfs: Clear i_nlink in rmdir
    - LP: #723518
  * ipc/sem.c: fix race with concurrent semtimedop() timeouts and IPC_RMID
    - LP: #943815
  * eCryptfs: Sanitize write counts of /dev/ecryptfs
    - LP: #947075
  * eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    - LP: #947143
 -- Herton Ronaldo Krzesinski <email address hidden> Mon, 05 Mar 2012 13:28:11 -0300

Changed in linux (Ubuntu Natty):
status: Fix Committed → Fix Released
dino99 (9d9) wrote :
Changed in linux (Ubuntu Oneiric):
status: New → Invalid
Changed in linux (Ubuntu Maverick):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers