eCryptfs: CVE-2014-9683

This fixes a 1-byte NULL write past the end of allocated memory References http://seclists.org/oss-sec/2015/q1/582 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9683 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-03-13 12:54:03 +0100
committer: Zhenhua Luo <zhenhua.luo@freescale.com> 2015-03-31 11:21:41 +0800
commit: 1afa62312a1c0e7336e5771b6f45c0a4810d9bd7 (patch)
tree: 62957797436ef57034cd105446f63054dcdca89d
parent: 95b506386d128a715c389cf2aa67b3468a1cf2cc (diff)
download: meta-freescale-1afa62312a1c0e7336e5771b6f45c0a4810d9bd7.tar.gz
2 files changed, 42 insertions, 0 deletions
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch b/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
new file mode 100644
index 00000000..0cd9c958
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
@@ -0,0 +1,41 @@
+From 8ffea99d6f2be99790611282f326da95a84a8cab Mon Sep 17 00:00:00 2001
+From: Michael Halcrow <mhalcrow@google.com>
+Date: Wed, 26 Nov 2014 09:09:16 -0800
+Subject: [PATCH] eCryptfs: Remove buggy and unnecessary write in file name
+ decode routine
+commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
+Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
+end of the allocated buffer during encrypted filename decoding. This
+fix corrects the issue by getting rid of the unnecessary 0 write when
+the current bit offset is 2.
+Fixes CVE-2014-9683
+Upstream-Status: Backport
+Signed-off-by: Michael Halcrow <mhalcrow@google.com>
+Reported-by: Dmitry Chernenkov <dmitryc@google.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/ecryptfs/crypto.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
+index 000eae2..bf926f7 100644
+--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
+@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
+                        break;
+                case 2:
+                        dst[dst_byte_offset++] |= (src_byte);
+-                       dst[dst_byte_offset] = 0;
+                        current_bit_offset = 0;
+                        break;
+                }
+-- 
+1.9.1
diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
index f082b046..1e9e4761 100644
--- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://fs-CVE-2014-4014.patch \
    file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
    file://security-keys-CVE-2014-9529.patch \
+    file://eCryptfs-CVE-2014-9683.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-03-13 12:54:03 +0100
committer	Zhenhua Luo <zhenhua.luo@freescale.com>	2015-03-31 11:21:41 +0800
commit	1afa62312a1c0e7336e5771b6f45c0a4810d9bd7 (patch)
tree	62957797436ef57034cd105446f63054dcdca89d
parent	95b506386d128a715c389cf2aa67b3468a1cf2cc (diff)
download	meta-freescale-1afa62312a1c0e7336e5771b6f45c0a4810d9bd7.tar.gz

diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch b/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch new file mode 100644 index 00000000..0cd9c958 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
@@ -0,0 +1,41 @@
		1	From 8ffea99d6f2be99790611282f326da95a84a8cab Mon Sep 17 00:00:00 2001
		2	From: Michael Halcrow <mhalcrow@google.com>
		3	Date: Wed, 26 Nov 2014 09:09:16 -0800
		4	Subject: [PATCH] eCryptfs: Remove buggy and unnecessary write in file name
		5	decode routine
		6
		7	commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
		8
		9	Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
		10	end of the allocated buffer during encrypted filename decoding. This
		11	fix corrects the issue by getting rid of the unnecessary 0 write when
		12	the current bit offset is 2.
		13
		14	Fixes CVE-2014-9683
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Michael Halcrow <mhalcrow@google.com>
		18	Reported-by: Dmitry Chernenkov <dmitryc@google.com>
		19	Suggested-by: Kees Cook <keescook@chromium.org>
		20	Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
		21	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		23	---
		24	fs/ecryptfs/crypto.c \| 1 -
		25	1 file changed, 1 deletion(-)
		26
		27	diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
		28	index 000eae2..bf926f7 100644
		29	--- a/fs/ecryptfs/crypto.c
		30	+++ b/fs/ecryptfs/crypto.c
		31	@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char dst, size_t dst_size,
		32	break;
		33	case 2:
		34	dst[dst_byte_offset++] \|= (src_byte);
		35	- dst[dst_byte_offset] = 0;
		36	current_bit_offset = 0;
		37	break;
		38	}
		39	--
		40	1.9.1
		41


diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb index f082b046..1e9e4761 100644 --- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
37	file://fs-CVE-2014-4014.patch \	37	file://fs-CVE-2014-4014.patch \
38	file://tracing-CVE-2014-7825_CVE-2014-7826.patch \	38	file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
39	file://security-keys-CVE-2014-9529.patch \	39	file://security-keys-CVE-2014-9529.patch \
		40	file://eCryptfs-CVE-2014-9683.patch \
40	"	41	"
41	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	42	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
42		43