Public bug reported: SRU justification:
Impact: A malicious count value specified when writing to /dev/ecryptfs may result in a very large kernel memory allocation. Fix: Upstream commit db10e556518eb9d21ee92ff944530d84349684f4 Test case: By crafting a ECRYPTFS_MSG_RESPONSE packet and passing a large write size we can cause a large kernel memory allocation. With the fix EINVAL is returned and the huge allocation does not occur. See the example code below: #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> int main(void) { unsigned char buf[] = { 103, 0, 0, 0, 0, 220 }; ssize_t written; int miscdev; miscdev = open("/dev/ecryptfs", O_WRONLY); if (miscdev < 0) return 1; written = write(miscdev, buf, 1073741824); close(miscdev); /* The write should fail */ return written < 0 ? 0 : 2; } Note: This patch has already been picked up in Lucid as part of the stable updates process, but got overlooked for Natty. ** Affects: linux (Ubuntu) Importance: Undecided Assignee: Colin King (colin-king) Status: New ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Colin King (colin-king) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/947075 Title: ecryptfs: Sanitize write counts of /dev/ecryptfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/947075/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs