eCryptfs

NULL crypt_stat dereference during lookup

Bug #345766 reported by Tyler Hicks
2
Affects Status Importance Assigned to Milestone
eCryptfs
Fix Released
High
Tyler Hicks
ecryptfs-utils (Ubuntu)
Invalid
Undecided
Dustin Kirkland 
Jaunty
Invalid
Undecided
Dustin Kirkland 
linux (Ubuntu)
Fix Released
Medium
Tim Gardner
Ubuntu ubuntu-9.04
Jaunty
Fix Released
Medium
Tim Gardner
Ubuntu ubuntu-9.04

Bug Description

If ecryptfs_encrypted_view or ecryptfs_xattr_metadata is being specified as mount options, a NULL pointer dereference is possible during lookup.

Reproduce:
---
# mount -t ecryptfs lower upper
# touch upper/oops
# umout upper
# mount -t ecryptfs lower upper -o ecryptfs_encrypted_view
# ls upper/
---

You should have seen an oops after running `ls`.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

---
Subject: [PATCH] eCryptfs: NULL crypt_stat dereference during lookup

If ecryptfs_encrypted_view or ecryptfs_xattr_metadata were being
specified as mount options, a NULL pointer dereference was possible
during lookup.

This patch moves the crypt_stat assignment into
ecryptfs_lookup_and_interpose_lower(), ensuring that crypt_stat
will not be NULL before we attempt to dereference it.

Thanks to Dan Carpenter and his static analysis tool, smatch, for
finding this bug.

Signed-off-by: Tyler Hicks <email address hidden>
---

Sent upstream: http://thread.gmane.org/gmane.linux.kernel/809706

Changed in ecryptfs:
assignee: nobody → tyhicks
importance: Undecided → High
status: New → In Progress
Revision history for this message
Tyler Hicks (tyhicks) wrote :

May not be a high priority for Ubuntu since encrypted home is not affected. (Those mount options aren't used)

Changed in ecryptfs-utils:
assignee: nobody → kirkland
Dustin Kirkland  (kirkland)
Changed in linux (Ubuntu):
assignee: nobody → timg-tpi
importance: Undecided → Medium
status: New → Triaged
Dustin Kirkland  (kirkland)
Changed in linux (Ubuntu Jaunty):
milestone: none → ubuntu-9.04
Revision history for this message
Tim Gardner (timg-tpi) wrote :

http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-jaunty.git;a=commit;h=ddc873efd85138c99b34be4ab9552c1d72b10e94

Changed in linux (Ubuntu Jaunty):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.28-11.37

---------------
linux (2.6.28-11.37) jaunty; urgency=low

  [ Alex Deucher ]

  * SAUCE: radeon: add some new pci ids
    - LP: #334101

  [ Amit Kucheria ]

  * Updating configs - rip out orion5x and mv78xx0 flavours

  [ Andy Whitcroft ]

  * SAUCE: tone down the synaptics warning to avoid triggering kerneloops
    - LP: #330606

  [ Upstream Kernel Changes ]

  * ext4: fix header check in ext4_ext_search_right() for deep extent
    trees.
    - LP: #346194
  * eCryptfs: NULL crypt_stat dereference during lookup
    - LP: #345766
  * eCryptfs: Allocate a variable number of pages for file headers
    (CVE-2009-0787)
    - LP: #345544

 -- Tim Gardner <email address hidden> Mon, 23 Mar 2009 09:24:32 -0600

Changed in linux:
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Fixed in the linux package, marking this as 'invalid' because AIUI there's nothing to change here.

Changed in ecryptfs-utils:
status: New → Invalid
Revision history for this message
Tyler Hicks (tyhicks) wrote :

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2aac0cf88681bfa092f731553bc7fbd23516be73

Changed in ecryptfs:
status: In Progress → Fix Committed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Fix released in 2.6.29

Changed in ecryptfs:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.