Linux eCryptfs工具parse_tag_3_packet()函数堆溢出漏洞

发布日期：2009-07-28
更新日期：2009-07-29

受影响系统：
Linux kernel 2.6.30.3
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 35850

eCryptfs是Linux平台下的企业级加密文件系统。

eCryptfs的密钥管理代码中的parse_tag_3_packet函数没有检查tag 3报文所包含的加密密钥大小是否大于ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES就将其拷贝到了new_auth_tok结构中，这可能触发堆溢出漏洞。

fs/ecryptfs/keystore.c
--
static int
parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat,
           unsigned char *data, struct list_head *auth_tok_list,
           struct ecryptfs_auth_tok **new_auth_tok,
           size_t *packet_size, size_t max_packet_size)
{
    size_t body_size;
    struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
    size_t length_size;
    int rc = 0;

    ...

    /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or
     * at end of function upon failure */
    auth_tok_list_item =
        kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, GFP_KERNEL);
    if (!auth_tok_list_item) {
        printk(KERN_ERR "Unable to allocate memory\n");
        rc = -ENOMEM;
        goto out;
    }
    (*new_auth_tok) = &auth_tok_list_item->auth_tok;
    rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
                      &length_size);
    if (rc) {
        printk(KERN_WARNING "Error parsing packet length; rc = [%d]\n",
               rc);
        goto out_free;
    }

    ...

    (*new_auth_tok)->session_key.encrypted_key_size =
        (body_size - (ECRYPTFS_SALT_SIZE + 5));
    if (unlikely(data[(*packet_size)++] != 0x04)) {
        printk(KERN_WARNING "Unknown version number [%d]\n",
               data[(*packet_size) - 1]);
        rc = -EINVAL;
        goto out_free;
    }

    ...

        /* Friendly reminder:
         * (*new_auth_tok)->session_key.encrypted_key_size =
         *         (body_size - (ECRYPTFS_SALT_SIZE + 5)); */
        memcpy((*new_auth_tok)->session_key.encrypted_key,
               &data[(*packet_size)],
               (*new_auth_tok)->session_key.encrypted_key_size);
        (*packet_size) +=
            (*new_auth_tok)->session_key.encrypted_key_size;

    ...
--

<*来源：Ramon de Carvalho Valle （[email protected]）
 
  链接：http://marc.info/?l=bugtraq&m=124881564919693&w=2
*>

建议：
--------------------------------------------------------------------------------
厂商补丁：

Linux
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.27_2.6.27-14.37_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6.27-14_2.6.27-14.37_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-source-2.6.27_2.6.27-14.37_all.deb