BUGTRAQ ID: 35850 eCryptfs是Linux平台下的企业级加密文件系统。 eCryptfs的密钥管理代码中的parse_tag_3_packet函数没有检查tag 3报文所包含的加密密钥大小是否大于ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES就将其拷贝到了new_auth_tok结构中,这可能触发堆溢出漏洞。 fs/ecryptfs/keystore.c -- static int parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat, unsigned char *data, struct list_head *auth_tok_list, struct ecryptfs_auth_tok **new_auth_tok, size_t *packet_size, size_t max_packet_size) { size_t body_size; struct ecryptfs_auth_tok_list_item *auth_tok_list_item; size_t length_size; int rc = 0; ... /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or * at end of function upon failure */ auth_tok_list_item = kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, GFP_KERNEL); if (!auth_tok_list_item) { printk(KERN_ERR "Unable to allocate memory\n"); rc = -ENOMEM; goto out; } (*new_auth_tok) = &auth_tok_list_item->auth_tok; rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, &length_size); if (rc) {...
BUGTRAQ ID: 35850 eCryptfs是Linux平台下的企业级加密文件系统。 eCryptfs的密钥管理代码中的parse_tag_3_packet函数没有检查tag 3报文所包含的加密密钥大小是否大于ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES就将其拷贝到了new_auth_tok结构中,这可能触发堆溢出漏洞。 fs/ecryptfs/keystore.c -- static int parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat, unsigned char *data, struct list_head *auth_tok_list, struct ecryptfs_auth_tok **new_auth_tok, size_t *packet_size, size_t max_packet_size) { size_t body_size; struct ecryptfs_auth_tok_list_item *auth_tok_list_item; size_t length_size; int rc = 0; ... /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or * at end of function upon failure */ auth_tok_list_item = kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, GFP_KERNEL); if (!auth_tok_list_item) { printk(KERN_ERR "Unable to allocate memory\n"); rc = -ENOMEM; goto out; } (*new_auth_tok) = &auth_tok_list_item->auth_tok; rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, &length_size); if (rc) { printk(KERN_WARNING "Error parsing packet length; rc = [%d]\n", rc); goto out_free; } ... (*new_auth_tok)->session_key.encrypted_key_size = (body_size - (ECRYPTFS_SALT_SIZE + 5)); if (unlikely(data[(*packet_size)++] != 0x04)) { printk(KERN_WARNING "Unknown version number [%d]\n", data[(*packet_size) - 1]); rc = -EINVAL; goto out_free; } ... /* Friendly reminder: * (*new_auth_tok)->session_key.encrypted_key_size = * (body_size - (ECRYPTFS_SALT_SIZE + 5)); */ memcpy((*new_auth_tok)->session_key.encrypted_key, &data[(*packet_size)], (*new_auth_tok)->session_key.encrypted_key_size); (*packet_size) += (*new_auth_tok)->session_key.encrypted_key_size; ... -- Linux kernel 2.6.30.3 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.27_2.6.27-14.37_all.deb http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6.27-14_2.6.27-14.37_all.deb http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-source-2.6.27_2.6.27-14.37_all.deb
