[kernel] r22407 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

[Ben Hutchings]

Author: benh
Date: Fri Feb 20 02:37:23 2015
New Revision: 22407

Log:
eCryptfs: Remove buggy and unnecessary write in file name decode routine (CVE-2014-9683)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Wed Feb 18 12:51:30 2015	(r22406)
+++ dists/wheezy-security/linux/debian/changelog	Fri Feb 20 02:37:23 2015	(r22407)
@@ -24,6 +24,8 @@
   * Fix regressions caused by CVE-2014-8133 fix:
     - [amd64] tls, ldt: Stop checking lm in LDT_empty
     - [x86] tls: Interpret an all-zero struct user_desc as "no segment"
+  * eCryptfs: Remove buggy and unnecessary write in file name decode
+    routine (CVE-2014-9683)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Thu, 29 Jan 2015 04:02:31 +0000
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch	Fri Feb 20 02:37:23 2015	(r22407)
@@ -0,0 +1,31 @@
+From: Michael Halcrow <mhalcrow at google.com>
+Date: Wed, 26 Nov 2014 09:09:16 -0800
+Subject: eCryptfs: Remove buggy and unnecessary write in file name decode
+ routine
+
+commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
+
+Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
+end of the allocated buffer during encrypted filename decoding. This
+fix corrects the issue by getting rid of the unnecessary 0 write when
+the current bit offset is 2.
+
+Signed-off-by: Michael Halcrow <mhalcrow at google.com>
+Reported-by: Dmitry Chernenkov <dmitryc at google.com>
+Suggested-by: Kees Cook <keescook at chromium.org>
+Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/ecryptfs/crypto.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -2038,7 +2038,6 @@ ecryptfs_decode_from_filename(unsigned c
+ 			break;
+ 		case 2:
+ 			dst[dst_byte_offset++] |= (src_byte);
+-			dst[dst_byte_offset] = 0;
+ 			current_bit_offset = 0;
+ 			break;
+ 		}

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Wed Feb 18 12:51:30 2015	(r22406)
+++ dists/wheezy-security/linux/debian/patches/series	Fri Feb 20 02:37:23 2015	(r22407)
@@ -1172,3 +1172,4 @@
 bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-init-collisions.patch
 bugfix/x86/x86-tls-ldt-stop-checking-lm-in-ldt_empty.patch
 bugfix/x86/x86-tls-interpret-an-all-zero-struct-user_desc-as-no-segment.patch
+bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode.patch