发布日期:2009-07-28
更新日期:2009-07-29
受影响系统:
Linux kernel 2.6.30.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 35851
eCryptfs是Linux平台下的企业级加密文件系统。
eCryptfs的密钥管理代码中的parse_tag_11_packet函数没有检查tag 11报文所包含的文字数据大小(tag11_contents_size)是否大于max_contents_bytes就作为内存参数将其拷贝到了大小为ECRYPTFS_SIG_SIZE的栈缓冲区中,这可能触发栈溢出漏洞。
fs/ecryptfs/keystore.c
--
static int
parse_tag_11_packet(unsigned char *data, unsigned char *contents,
size_t max_contents_bytes, size_t *tag_11_contents_size,
size_t *packet_size, size_t max_packet_size)
{
size_t body_size;
size_t length_size;
int rc = 0;
...
rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
&length_size);
if (rc) {
printk(KERN_WARNING "Invalid tag 11 packet format\n");
goto out;
}
if (body_size < 14) {
printk(KERN_WARNING "Invalid body size ([%td])\n", body_size);
rc = -EINVAL;
goto out;
}
(*packet_size) += length_size;
(*tag_11_contents_size) = (body_size - 14);
if (unlikely((*packet_size) + body_size + 1 > max_packet_size)) {
printk(KERN_ERR "Packet size exceeds max\n");
rc = -EINVAL;
goto out;
}
if (data[(*packet_size)++] != 0x62) {
printk(KERN_WARNING "Unrecognizable packet\n");
rc = -EINVAL;
goto out;
}
...
(*packet_size) += 12; /* Ignore filename and modification date */
memcpy(contents, &data[(*packet_size)], (*tag_11_contents_size));
(*packet_size) += (*tag_11_contents_size);
...
--
<*来源:Ramon de Carvalho Valle (ramon@risesecurity.org)
链接:?l=bugtraq&m=124881445917700&w=2
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Linux
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: