www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Tyler Hicks <tyhicks@canonical.com>
	Wed, 23 Nov 2011 17:31:24 +0000 (11:31 -0600)
committer	Maxim Uvarov <maxim.uvarov@oracle.com>
	Fri, 16 Dec 2011 01:14:21 +0000 (17:14 -0800)
commit	a5b28e7e5ca3f813b0098ceafdd6f993a8ab6843
tree	589ed87c56e680115ee78dd16b6d08ebf5bb5dc2	tree
parent	b097aa9c9d76e8b72171575d4af9f6356adaa358	commit \| diff

eCryptfs: Extend array bounds for all filename chars

commit 0f751e641a71157aa584c2a2e22fda52b52b8a56 upstream.

From mhalcrow's original commit message:

    Characters with ASCII values greater than the size of
    filename_rev_map[] are valid filename characters.
    ecryptfs_decode_from_filename() will access kernel memory beyond
    that array, and ecryptfs_parse_tag_70_packet() will then decrypt
    those characters. The attacker, using the FNEK of the crafted file,
    can then re-encrypt the characters to reveal the kernel memory past
    the end of the filename_rev_map[] array. I expect low security
    impact since this array is statically allocated in the text area,
    and the amount of memory past the array that is accessible is
    limited by the largest possible ASCII filename character.

This patch solves the issue reported by mhalcrow but with an
implementation suggested by Linus to simply extend the length of
filename_rev_map[] to 256. Characters greater than 0x7A are mapped to
0x00, which is how invalid characters less than 0x7A were previously
being handled.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Michael Halcrow <mhalcrow@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>