ecryptfs: Sanitize write counts of /dev/ecryptfs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Colin Ian King | ||
Natty |
Fix Released
|
Medium
|
Colin Ian King |
Bug Description
SRU justification:
Impact:
A malicious count value specified when writing to /dev/ecryptfs may
result in a very large kernel memory allocation.
Fix:
Upstream commit db10e556518eb9d
Test case:
By crafting a ECRYPTFS_
write size we can cause a large kernel memory allocation. With
the fix EINVAL is returned and the huge allocation does not occur.
See the example code below:
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
int main(void)
{
unsigned char buf[] = { 103, 0, 0, 0, 0, 220 };
ssize_t written;
int miscdev;
miscdev = open("/
if (miscdev < 0)
written = write(miscdev, buf, 1073741824);
/* The write should fail */
return written < 0 ? 0 : 2;
}
Note: This patch has already been picked up in Lucid as part of
the stable updates process, but got overlooked for Natty.
Related branches
CVE References
Changed in linux (Ubuntu): | |
assignee: | nobody → Colin King (colin-king) |
tags: |
added: verification-done-natty removed: verification-needed-natty |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 947075
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.