aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTyler Hicks <tyhicks@linux.vnet.ibm.com>2009-07-28 14:57:01 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-07-28 17:26:06 -0400
commit6352a29305373ae6196491e6d4669f301e26492e (patch)
treeef68d8601812e1b190f67b69373ff5210191ea45
parent4733fd328f14280900435d9dbae1487d110a4d56 (diff)
eCryptfs: Check Tag 11 literal data buffer size
Tag 11 packets are stored in the metadata section of an eCryptfs file to store the key signature(s) used to encrypt the file encryption key. After extracting the packet length field to determine the key signature length, a check is not performed to see if the length would exceed the key signature buffer size that was passed into parse_tag_11_packet(). Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer. Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> Cc: stable@kernel.org (2.6.27 and 30) Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--fs/ecryptfs/keystore.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index af737bb56cb7..5414253d4c97 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -1449,6 +1449,12 @@ parse_tag_11_packet(unsigned char *data, unsigned char *contents,
1449 rc = -EINVAL; 1449 rc = -EINVAL;
1450 goto out; 1450 goto out;
1451 } 1451 }
1452 if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
1453 printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
1454 "expected size\n");
1455 rc = -EINVAL;
1456 goto out;
1457 }
1452 if (data[(*packet_size)++] != 0x62) { 1458 if (data[(*packet_size)++] != 0x62) {
1453 printk(KERN_WARNING "Unrecognizable packet\n"); 1459 printk(KERN_WARNING "Unrecognizable packet\n");
1454 rc = -EINVAL; 1460 rc = -EINVAL;