[RISE-2009002] Linux eCryptfs parse_tag_11_packet Literal Data Buffer Overflow Vulnerability

--=-5Cv7ADYGrQMNC7/aRcJM
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

RISE-2009002
Linux eCryptfs parse_tag_11_packet Literal Data Buffer Overflow Vulnerabili=
ty

http://risesecurity.org/advisories/RISE-2009002.txt
Published: July 28, 2009
Updated: July 28, 2009

INTRODUCTION

There exists a vulnerability within a function of Linux eCryptfs (Enterpris=
e
Cryptographic Filesystem), which when properly exploited can lead to
compromise of the vulnerable system. This vulnerability was confirmed by us=
 in
the Linux kernel version 2.6.30.3. Linux kernel versions 2.6.19 and later h=
ave
eCryptfs support and may be also affected.

DETAILS

eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic
filesystem for Linux.

It is derived from Erez Zadoks Cryptfs, implemented through the FiST
framework for generating stacked filesystems. eCryptfs extends Cryptfs to
provide advanced key management and policy features. eCryptfs stores
cryptographic metadata in the header of each file written, so that encrypte=
d
files can be copied between hosts; the file will be decryptable with the
proper key, and there is no need to keep track of any additional informatio=
n
aside from what is already in the encrypted file itself. Think of eCryptfs =
as
a sort of ``gnupgfs.

The parse_tag_11_packet function of eCryptfs in-kernel key management code
does not check if the tag 11 packet contains a literal data size
(tag11_contents_size) larger than literal data maximum size
(max_contents_bytes), before copying the literal data contents to a
stack-based buffer (of ECRYPTFS_SIG_SIZE size) passed by
ecryptfs_parse_packet_set function as the contents parameter, resulting in =
a
kernel stack-based buffer overflow vulnerability.

fs/ecryptfs/keystore.c
--
static int
parse_tag_11_packet(unsigned char *data, unsigned char *contents,
            size_t max_contents_bytes, size_t *tag_11_contents_size,
            size_t *packet_size, size_t max_packet_size)
{
    size_t body_size;
    size_t length_size;
    int rc =3D 0;

    ...

    rc =3D ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
                      &length_size);
    if (rc) {
        printk(KERN_WARNING "Invalid tag 11 packet format
");
        goto out;
    }
    if (body_size < 14) {
        printk(KERN_WARNING "Invalid body size ([%td])
", body_size);
        rc =3D -EINVAL;
        goto out;
    }
    (*packet_size) +=3D length_size;
    (*tag_11_contents_size) =3D (body_size - 14);
    if (unlikely((*packet_size) + body_size + 1 > max_packet_size)) {
        printk(KERN_ERR "Packet size exceeds max
");
        rc =3D -EINVAL;
        goto out;
    }
    if (data[(*packet_size)++] !=3D 0x62) {
        printk(KERN_WARNING "Unrecognizable packet
");
        rc =3D -EINVAL;
        goto out;
    }

    ...

    (*packet_size) +=3D 12; /* Ignore filename and modification date */
    memcpy(contents, &data[(*packet_size)], (*tag_11_contents_size));
    (*packet_size) +=3D (*tag_11_contents_size);

    ...
--

VENDOR

A patch for this vulnerability was sent to the Linux kernel mailing list by
Tyler Hicks <tyhicks@linux.vnet.ibm.com>.

CREDITS

This vulnerability was discovered by Ramon de Carvalho Valle
<ramon@risesecurity.org>.

DISCLAIMER

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any
information provided, including any kind of information which is incomplete=
 or
incorrect, will therefore be rejected.


--=-5Cv7ADYGrQMNC7/aRcJM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkpvVGgACgkQGIS0iEuhp4Mh7gCgl5CewTlKUbirQQJoeHk2Q1Ii
RGUAn2ZDqs8et7ZaA85nfGoheoiiDX7OiEYEABECAAYFAkpvVGgACgkQhFjK78TG
SUEh7gCgy5nKhinntiTkeS3nwNqRZSOmzuwAoNMwjDKmqI5jKgbjjUsU4JiEBbDv
=xz/G
-----END PGP SIGNATURE-----

--=-5Cv7ADYGrQMNC7/aRcJM--