发布日期:2009-07-28
更新日期:2009-07-29
受影响系统:
Linux kernel 2.6.30.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 35850
eCryptfs是Linux平台下的企业级加密文件系统。
eCryptfs的密钥管理代码中的parse_tag_3_packet函数没有检查tag 3报文所包含的加密密钥大小是否大于ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES就将其拷贝到了new_auth_tok结构中,这可能触发堆溢出漏洞。
fs/ecryptfs/keystore.c
--
static int
parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat,
unsigned char *data, struct list_head *auth_tok_list,
struct ecryptfs_auth_tok **new_auth_tok,
size_t *packet_size, size_t max_packet_size)
{
size_t body_size;
struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
size_t length_size;
int rc = 0;
...
/* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or
* at end of function upon failure */
auth_tok_list_item =
kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, GFP_KERNEL);
if (!auth_tok_list_item) {
printk(KERN_ERR "Unable to allocate memory\n");
rc = -ENOMEM;
goto out;
}
(*new_auth_tok) = &auth_tok_list_item->auth_tok;
rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
&length_size);
if (rc) {
printk(KERN_WARNING "Error parsing packet length; rc = [%d]\n",
rc);
goto out_free;
}
...
(*new_auth_tok)->session_key.encrypted_key_size =
(body_size - (ECRYPTFS_SALT_SIZE + 5));
if (unlikely(data[(*packet_size)++] != 0x04)) {
printk(KERN_WARNING "Unknown version number [%d]\n",
data[(*packet_size) - 1]);
rc = -EINVAL;
goto out_free;
}
...
/* Friendly reminder:
* (*new_auth_tok)->session_key.encrypted_key_size =
* (body_size - (ECRYPTFS_SALT_SIZE + 5)); */
memcpy((*new_auth_tok)->session_key.encrypted_key,
&data[(*packet_size)],
(*new_auth_tok)->session_key.encrypted_key_size);
(*packet_size) +=
(*new_auth_tok)->session_key.encrypted_key_size;
...
--
<*来源:Ramon de Carvalho Valle (ramon@risesecurity.org)
链接:?l=bugtraq&m=124881564919693&w=2
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Linux
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: