From: Eric Sandeen <sandeen@redhat.com>
Date: Wed, 22 Jul 2009 15:44:10 -0500
Subject: [fs] ecryptfs: check tag 3 packet encrypted key size
Message-id: 4A677A1A.7030305@redhat.com
O-Subject: [kernel team] [PATCH RHEL5.4] ecryptfs: check tag 3 packet encrypted key size
Bugzilla: 512887
RH-Acked-by: David Miller <davem@redhat.com>
RH-Acked-by: David Howells <dhowells@redhat.com>
RH-Acked-by: Thomas Graf <tgraf@redhat.com>

This is for Bug 512887
- CVE-2009-2407 EMBARGOED kernel: ecryptfs heap overflow in parse_tag_3_packet() [rhel-5.4]

Note that this is EMBARGOED for now, Eugene should have the dates for it.

This is another case of using a value from disk as a size argument
to a memcpy.  This one is probably less severe as it is overwriting
a kmem_zalloc'd area rather than something on the stack.

Tested again w/ an image & prepared file sent by Tyler Hicks, the
upstream maintainer  Patch from the reporter, via Tyler:

The parse_tag_3_packet function does not check if the tag 3 packet contains a
encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.

Signed-off-by: Ramon de Carvalho Valle <ramon@risesecurity.org>
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
---
 fs/ecryptfs/keystore.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index 235362e..66eb2f3 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -730,6 +730,13 @@ parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat,
 	}
 	(*new_auth_tok)->session_key.encrypted_key_size =
 		(body_size - (ECRYPTFS_SALT_SIZE + 5));
+	if ((*new_auth_tok)->session_key.encrypted_key_size
+	    > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
+		printk(KERN_WARNING "Tag 3 packet contains key larger "
+		       "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
+		rc = -EINVAL;
+		goto out_free;
+	}
 	if (unlikely(data[(*packet_size)++] != 0x04)) {
 		printk(KERN_WARNING "Unknown version number [%d]\n",
 		       data[(*packet_size) - 1]);