Public bug reported:
SRU justification:
Impact:
A malicious count value specified when writing to /dev/ecryptfs may
result in a very large kernel memory allocation.
Fix:
Upstream commit db10e556518eb9d21ee92ff944530d84349684f4
Test case:
By crafting a ECRYPTFS_MSG_RESPONSE packet and passing a large
write size we can cause a large kernel memory allocation. With
the fix EINVAL is returned and the huge allocation does not occur.
See the example code below:
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
int main(void)
{
unsigned char buf[] = { 103, 0, 0, 0, 0, 220 };
ssize_t written;
int miscdev;
miscdev = open("/dev/ecryptfs", O_WRONLY);
if (miscdev < 0)
return 1;
written = write(miscdev, buf, 1073741824);
close(miscdev);
/* The write should fail */
return written < 0 ? 0 : 2;
}
Note: This patch has already been picked up in Lucid as part of
the stable updates process, but got overlooked for Natty.
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Colin King (colin-king)
Status: New
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Colin King (colin-king)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/947075
Title:
ecryptfs: Sanitize write counts of /dev/ecryptfs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/947075/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
