• Tyler Hicks's avatar
    eCryptfs: Extend array bounds for all filename chars · 0f751e64
    Tyler Hicks authored
    From mhalcrow's original commit message:
    
        Characters with ASCII values greater than the size of
        filename_rev_map[] are valid filename characters.
        ecryptfs_decode_from_filename() will access kernel memory beyond
        that array, and ecryptfs_parse_tag_70_packet() will then decrypt
        those characters. The attacker, using the FNEK of the crafted file,
        can then re-encrypt the characters to reveal the kernel memory past
        the end of the filename_rev_map[] array. I expect low security
        impact since this array is statically allocated in the text area,
        and the amount of memory past the array that is accessible is
        limited by the largest possible ASCII filename character.
    
    This patch solves the issue reported by mhalcrow but with an
    implementation suggested by Linus to simply extend the length of
    filename_rev_map[] to 256. Characters greater than 0x7A are mapped to
    0x00, which is how invalid characters less than 0x7A were previously
    being handled.
    Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
    Reported-by: default avatarMichael Halcrow <mhalcrow@google.com>
    Cc: stable@kernel.org
    0f751e64
crypto.c 67.5 KB