Linux eCryptfs工具parse_tag_11_packet函数栈溢出漏洞

发布日期：2009-07-28
更新日期：2009-07-29

受影响系统：
Linux kernel 2.6.30.3
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 35851

eCryptfs是Linux平台下的企业级加密文件系统。

eCryptfs的密钥管理代码中的parse_tag_11_packet函数没有检查tag 11报文所包含的文字数据大小（tag11_contents_size）是否大于max_contents_bytes就作为内存参数将其拷贝到了大小为ECRYPTFS_SIG_SIZE的栈缓冲区中，这可能触发栈溢出漏洞。

fs/ecryptfs/keystore.c
--
static int
parse_tag_11_packet(unsigned char *data, unsigned char *contents,
            size_t max_contents_bytes, size_t *tag_11_contents_size,
            size_t *packet_size, size_t max_packet_size)
{
    size_t body_size;
    size_t length_size;
    int rc = 0;

    ...

    rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
                      &length_size);
    if (rc) {
        printk(KERN_WARNING "Invalid tag 11 packet format\n");
        goto out;
    }
    if (body_size < 14) {
        printk(KERN_WARNING "Invalid body size ([%td])\n", body_size);
        rc = -EINVAL;
        goto out;
    }
    (*packet_size) += length_size;
    (*tag_11_contents_size) = (body_size - 14);
    if (unlikely((*packet_size) + body_size + 1 > max_packet_size)) {
        printk(KERN_ERR "Packet size exceeds max\n");
        rc = -EINVAL;
        goto out;
    }
    if (data[(*packet_size)++] != 0x62) {
        printk(KERN_WARNING "Unrecognizable packet\n");
        rc = -EINVAL;
        goto out;
    }

    ...

    (*packet_size) += 12; /* Ignore filename and modification date */
    memcpy(contents, &data[(*packet_size)], (*tag_11_contents_size));
    (*packet_size) += (*tag_11_contents_size);

    ...
--

<*来源：Ramon de Carvalho Valle （[email protected]）
 
  链接：http://marc.info/?l=bugtraq&m=124881445917700&w=2
*>

建议：
--------------------------------------------------------------------------------
厂商补丁：

Linux
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.27_2.6.27-14.35_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.27_2.6.27-14.37_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6.27-14_2.6.27-14.35_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6.27-14_2.6.27-14.37_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-source-2.6.27_2.6.27-14.35_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-source-2.6.27_2.6.27-14.37_all.deb