[kernel-sec-discuss] r4455 - active

Ben Hutchings benh at moszumanska.debian.org
Thu Jun 16 19:17:34 UTC 2016 

Author: benh
Date: 2016-06-16 19:17:34 +0000 (Thu, 16 Jun 2016)
New Revision: 4455

Modified:
   active/CVE-2016-1583
Log:
Add more details about CVE-2016-1583 and required commits


Modified: active/CVE-2016-1583
===================================================================
--- active/CVE-2016-1583	2016-06-16 15:08:34 UTC (rev 4454)
+++ active/CVE-2016-1583	2016-06-16 19:17:34 UTC (rev 4455)
@@ -1,13 +1,27 @@
-Description: eCryptfs incorrectly handles mmap() when the lower filesystem does not have an mmap handler
+Description: eCryptfs layered over procfs can trigger stack overflow
 References:
  http://www.openwall.com/lists/oss-security/2016/06/10/8
 Notes:
  carnil> backport to kernels pre 4.6 need to cherry-pick 6a480a7842545ec520a91730209ec0bae41694c1 (4.6)
  carnil> as well.
+ bwh> The issue here is:
+ bwh> 1. ecryptfs never uses mmap() on the lower file, so did not check
+ bwh>    that it was implemented.
+ bwh> 2. procfs includes files that map to (part of) a process's VM.
+ bwh> 3. mount.ecryptfs_private is setuid-root and allows layering over any
+ bwh>    directory owned by the caller.
+ bwh> So it was possible to mmap part of an ecryptfs file layered on a procfs
+ bwh> file that maps to another mmapped region, and then to chain mappings
+ bwh> to an arbitrary depth.  This could result in calling page fault
+ bwh> handlers recursively, again to an arbitrary depth.  Either the procfs
+ bwh> change *or* the ecryptfs change should be sufficient to fix this.
+ bwh> The procfs fix depends on commit 69c433ed2ecd (3.18) which is an ABI
+ bwh> breaker.
+ bwh> The ecryptfs fix depends on the commit carnil mentioned.
 Bugs:
 upstream: released (4.7-rc3) [e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9, 2f36db71009304b3f0b95afacd8eba1f9f046b87, 29d6455178a09e1dc340380c582b13356227e8df]
 3.16-upstream-stable: needed
 3.2-upstream-stable: needed
 sid: released (4.6.2-1) [bugfix/all/proc-prevent-stacking-filesystems-on-top.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch, bugfix/all/sched-panic-on-corrupted-stack-end.patch]
 3.16-jessie-security: needed
-3.2-wheezy-security: pending (3.2.81-1) [bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch]
+3.2-wheezy-security: pending (3.2.81-1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch]

More information about the kernel-sec-discuss mailing list