Bug 463478

Summary: RHEL5.3: ecryptfs memory corruption
Product: Red Hat Enterprise Linux 5 Reporter: Eric Sandeen <esandeen>
Component: kernelAssignee: Red Hat Kernel Manager <kernel-mgr>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: syeghiay, thenzl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 20:15:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Sandeen 2008-09-23 16:59:44 UTC 
Tomas Henzl pointed out this bug in the ecryptfs mount path:

> >> +       options_len = (strlen(options) + 1);
> >> +       if ((opts_tmp = opts_orig = kmalloc(options_len, GFP_KERNEL)) == NULL) {
> >> +	       rc = -ENOMEM;
> >> +	       goto out;
> >> +       }
> >> +       memcpy(opts_orig, options, options_len);
> >> +       opts_orig[options_len] = '\0';
> >>   
> Sorry for being so late,  but wouldn't be here better 
> 
> +       opts_orig[options_len - 1] = '\0';

where it writes 1 byte past the allocated memory.  This constitutes memory corruption on the ecryptfs mount path, and should be fixed before RHEL5.3 releases.

Thanks,
-Eric
Comment 1 RHEL Program Management 2008-09-23 18:15:19 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Don Zickus 2008-10-06 15:56:26 UTC 
in kernel-2.6.18-118.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 6 errata-xmlrpc 2009-01-20 20:15:21 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html