[PATCH 2.6.32 06/62] eCryptfs: Remove buggy and unnecessary write in file name decode routine

From: Willy Tarreau
Date: Sat Sep 12 2015 - 19:25:00 EST


2.6.32-longterm review patch. If anyone has any objections, please let me know.

------------------

From: Michael Halcrow <mhalcrow@xxxxxxxxxx>

commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.

Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
end of the allocated buffer during encrypted filename decoding. This
fix corrects the issue by getting rid of the unnecessary 0 write when
the current bit offset is 2.

Signed-off-by: Michael Halcrow <mhalcrow@xxxxxxxxxx>
Reported-by: Dmitry Chernenkov <dmitryc@xxxxxxxxxx>
Suggested-by: Kees Cook <keescook@xxxxxxxxxxxx>
Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>

CVE-2014-9683

Signed-off-by: Willy Tarreau <w@xxxxxx>
---
fs/ecryptfs/crypto.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
index 7e164bb..cc57904 100644
--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
@@ -2088,7 +2088,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
break;
case 2:
dst[dst_byte_offset++] |= (src_byte);
- dst[dst_byte_offset] = 0;
current_bit_offset = 0;
break;
}
--
1.7.12.2.21.g234cd45.dirty



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/