packet函数栈溢出漏洞

发布日期:2009-07-28
更新日期:2009-07-29

受影响系统:
Linux kernel 2.6.30.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 35851

eCryptfs是Linux平台下的企业级加密文件系统。

eCryptfs的密钥管理代码中的parse_tag_11_packet函数没有检查tag 11报文所包含的文字数据大小(tag11_contents_size)是否大于max_contents_bytes就作为内存参数将其拷贝到了大小为ECRYPTFS_SIG_SIZE的栈缓冲区中,这可能触发栈溢出漏洞。

fs/ecryptfs/keystore.c
--
static int
parse_tag_11_packet(unsigned char *data, unsigned char *contents,
            size_t max_contents_bytes, size_t *tag_11_contents_size,
            size_t *packet_size, size_t max_packet_size)
{
    size_t body_size;
    size_t length_size;
    int rc = 0;

...

rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
                      &length_size);
    if (rc) {
        printk(KERN_WARNING "Invalid tag 11 packet format\n");
        goto out;
    }
    if (body_size < 14) {
        printk(KERN_WARNING "Invalid body size ([%td])\n", body_size);
        rc = -EINVAL;
        goto out;
    }
    (*packet_size) += length_size;
    (*tag_11_contents_size) = (body_size - 14);
    if (unlikely((*packet_size) + body_size + 1 > max_packet_size)) {
        printk(KERN_ERR "Packet size exceeds max\n");
        rc = -EINVAL;
        goto out;
    }
    if (data[(*packet_size)++] != 0x62) {
        printk(KERN_WARNING "Unrecognizable packet\n");
        rc = -EINVAL;
        goto out;
    }

...

(*packet_size) += 12; /* Ignore filename and modification date */
    memcpy(contents, &data[(*packet_size)], (*tag_11_contents_size));
    (*packet_size) += (*tag_11_contents_size);

...
--

<*来源:Ramon de Carvalho Valle (ramon@risesecurity.org
 
  链接:?l=bugtraq&m=124881445917700&w=2
*>

建议:
--------------------------------------------------------------------------------
厂商补丁:

Linux
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:






内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwpxwg.html