Bug 1193830 (CVE-2014-9683)

Summary: CVE-2014-9683 kernel: buffer overflow in eCryptfs
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: 33990235, agordeev, aquini, bhu, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, nmurray, pholasek, plougher, pmatouse, rt-maint, rvrbovsk, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was found in the way the Linux kernel's eCryptfs implementation decoded encrypted file names. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 19:33:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1202155, 1202156    
Bug Blocks: 1193831    

Description Martin Prpič 2015-02-18 11:08:52 UTC 
A buffer overflow flaw was found in the way the Linux kernel's eCryptfs implementation decoded encrypted file names.
A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.

Upstream fix:
-------------
 -> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=942080643bce061c3dd9d5718d3b745dcb39a8bc

Reference:
-----------
 -> http://seclists.org/oss-sec/2015/q1/582
Comment 2 Wade Mealing 2015-03-13 06:02:01 UTC 
Statement:

This issue did not affect versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and 7; and kernel-rt packages as shipped with Red Hat Enterprise MRG 2 and Red Hat Enterprise Linux 7.
Comment 5 errata-xmlrpc 2015-07-22 08:40:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1272 https://rhn.redhat.com/errata/RHSA-2015-1272.html
Comment 6 tomsun 2015-08-24 08:24:09 UTC 
(In reply to Wade Mealing from comment #2)
> Statement:
> 
> This issue did not affect versions of the Linux kernel as shipped with Red
> Hat Enterprise Linux 5 and 7; and kernel-rt packages as shipped with Red Hat
> Enterprise MRG 2 and Red Hat Enterprise Linux 7.

why not did affect to rhel 7, it has the seam code with rhel 6?

case 2:
			dst[dst_byte_offset++] |= (src_byte);
			dst[dst_byte_offset] = 0;
			current_bit_offset = 0;

3ks
Comment 7 Wade Mealing 2015-08-26 06:59:53 UTC 
Gday Tomsun,

You're correct it does seem to have the same code as EL6, however the encryptfs code is not enabled on EL7.

You may see some similarly named CONFIG_ECRYPT_FS functions in the kernel are not included to be built.

/home/wmealing/rpmbuild/BUILD/kernel-3.10.0-229.el7/linux-3.10.0-229.el6.x86_64
[wmealing@work-desktop linux-3.10.0-229.el6.x86_64]$ cat .config |grep ECRYPT
# CONFIG_ECRYPT_FS is not set

You may however see similarly named symbols in the kernel:

[root@unused-9-133 ~]# cat /proc/kallsyms  |grep ecryptfs_|head -n 3
ffffffff81266f70 T ecryptfs_get_auth_tok_key
ffffffff81266f90 T ecryptfs_get_versions
ffffffff81266fc0 T ecryptfs_fill_auth_tok

But these are helper functions generated by CONFIG_ENCRYPTED_KEYS kernel config options, not be encryptfs itself.

If you have any further options, please open a ticket with a Red Hat support staff member.

Thanks.

Wade Mealing
Product Security