eCryptfs: CVE-2014-9683

This fixes a 1-byte NULL write past the end of allocated memory References http://seclists.org/oss-sec/2015/q1/582 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9683 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-03-13 12:54:03 +0100
committer: Zhenhua Luo <zhenhua.luo@freescale.com> 2015-03-31 11:21:41 +0800
commit: 61df8be41c952bcb81ab2799e5772a34b8788d43 (patch)
tree: c7272a14b953b8c278137d9b54cd86e2f9c10941 /recipes-kernel/linux
parent: 7e2b2203ce7569e5721f4621edca1d17375a78b4 (diff)
download: meta-fsl-ppc-61df8be41c952bcb81ab2799e5772a34b8788d43.tar.gz
2 files changed, 42 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch b/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
new file mode 100644
index 0000000..0cd9c95
--- /dev/null
+++ b/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
@@ -0,0 +1,41 @@
+From 8ffea99d6f2be99790611282f326da95a84a8cab Mon Sep 17 00:00:00 2001
+From: Michael Halcrow <mhalcrow@google.com>
+Date: Wed, 26 Nov 2014 09:09:16 -0800
+Subject: [PATCH] eCryptfs: Remove buggy and unnecessary write in file name
+ decode routine
+commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
+Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
+end of the allocated buffer during encrypted filename decoding. This
+fix corrects the issue by getting rid of the unnecessary 0 write when
+the current bit offset is 2.
+Fixes CVE-2014-9683
+Upstream-Status: Backport
+Signed-off-by: Michael Halcrow <mhalcrow@google.com>
+Reported-by: Dmitry Chernenkov <dmitryc@google.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/ecryptfs/crypto.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
+index 000eae2..bf926f7 100644
+--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
+@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
+                        break;
+                case 2:
+                        dst[dst_byte_offset++] |= (src_byte);
+-                       dst[dst_byte_offset] = 0;
+                        current_bit_offset = 0;
+                        break;
+                }
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index f082b04..1e9e476 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://fs-CVE-2014-4014.patch \
    file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
    file://security-keys-CVE-2014-9529.patch \
+    file://eCryptfs-CVE-2014-9683.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-03-13 12:54:03 +0100
committer	Zhenhua Luo <zhenhua.luo@freescale.com>	2015-03-31 11:21:41 +0800
commit	61df8be41c952bcb81ab2799e5772a34b8788d43 (patch)
tree	c7272a14b953b8c278137d9b54cd86e2f9c10941 /recipes-kernel/linux
parent	7e2b2203ce7569e5721f4621edca1d17375a78b4 (diff)
download	meta-fsl-ppc-61df8be41c952bcb81ab2799e5772a34b8788d43.tar.gz

diff --git a/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch b/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch new file mode 100644 index 0000000..0cd9c95 --- /dev/null +++ b/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
@@ -0,0 +1,41 @@
		1	From 8ffea99d6f2be99790611282f326da95a84a8cab Mon Sep 17 00:00:00 2001
		2	From: Michael Halcrow <mhalcrow@google.com>
		3	Date: Wed, 26 Nov 2014 09:09:16 -0800
		4	Subject: [PATCH] eCryptfs: Remove buggy and unnecessary write in file name
		5	decode routine
		6
		7	commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
		8
		9	Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
		10	end of the allocated buffer during encrypted filename decoding. This
		11	fix corrects the issue by getting rid of the unnecessary 0 write when
		12	the current bit offset is 2.
		13
		14	Fixes CVE-2014-9683
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Michael Halcrow <mhalcrow@google.com>
		18	Reported-by: Dmitry Chernenkov <dmitryc@google.com>
		19	Suggested-by: Kees Cook <keescook@chromium.org>
		20	Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
		21	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		23	---
		24	fs/ecryptfs/crypto.c \| 1 -
		25	1 file changed, 1 deletion(-)
		26
		27	diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
		28	index 000eae2..bf926f7 100644
		29	--- a/fs/ecryptfs/crypto.c
		30	+++ b/fs/ecryptfs/crypto.c
		31	@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char dst, size_t dst_size,
		32	break;
		33	case 2:
		34	dst[dst_byte_offset++] \|= (src_byte);
		35	- dst[dst_byte_offset] = 0;
		36	current_bit_offset = 0;
		37	break;
		38	}
		39	--
		40	1.9.1
		41


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index f082b04..1e9e476 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
37	file://fs-CVE-2014-4014.patch \	37	file://fs-CVE-2014-4014.patch \
38	file://tracing-CVE-2014-7825_CVE-2014-7826.patch \	38	file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
39	file://security-keys-CVE-2014-9529.patch \	39	file://security-keys-CVE-2014-9529.patch \
		40	file://eCryptfs-CVE-2014-9683.patch \
40	"	41	"
41	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	42	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
42		43