Bug 611385 (CVE-2010-2492)

Summary: CVE-2010-2492 kernel: ecryptfs_uid_hash() buffer overflow
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: arozansk, davej, dhoward, esandeen, jmarchan, jpirko, kmcmartin, lwang, plyons, pmatouse, rcvalle, security-response-team, tcallawa, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:44:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 611386, 611387, 611388, 626320    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-07-05 04:32:42 UTC
Description of problem:
The function ecryptfs_uid_hash wrongly assumes that the second parameter to hash_long() is the number of hash buckets instead of the number of hash bits.
This patch fixes that and renames the variable ecryptfs_hash_buckets to ecryptfs_hash_bits to make it clearer.

Acknowledgements:

Red Hat would like to thank Andre Osterhues for reporting this issue.

Comment 2 Eugene Teo (Security Response) 2010-07-05 04:37:57 UTC
rhel-5 crw------- 1 root root 10, 61 Jul  5 03:51 /dev/ecryptfs
rhel-6 crw-rw----. 1 root root 10, 57 Jul  5 03:54 /dev/ecryptfs

On rhel-6, ecryptfs netlink transport has been removed (commit 624ae528) and /dev/ecryptfs is not world-writable. On rhel-5, we still have the ecryptfs netlink transport (commit 88b4a07e + f66e883e but without 624ae528) and so the issue may still be triggered by unprivileged users.

Comment 9 Eugene Teo (Security Response) 2010-08-02 06:59:45 UTC
Upstream commit:
http://git.kernel.org/linus/a6f80fb7b5986fda663d94079d3bba0937a6b6ff

Comment 10 Chuck Ebbert 2010-08-02 21:04:07 UTC
Fixed upstream in 2.6.35, 2.6.34.2, 2.6.33.7, 2.6.32.17 and 2.6.27.49

Comment 12 errata-xmlrpc 2010-09-29 14:53:30 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0723 https://rhn.redhat.com/errata/RHSA-2010-0723.html

Comment 13 Orlando Richards 2010-10-01 09:13:36 UTC
Is this issue mitigated by ensuring that the ecryptfs kernel module is not loaded?

Comment 14 Petr Matousek 2010-10-01 09:38:16 UTC
(In reply to comment #13)
> Is this issue mitigated by ensuring that the ecryptfs kernel module is not
> loaded?

Yes, ensuring that the ecryptfs module is not loaded will mitigate this issue.

Comment 15 Vincent Danen 2010-11-15 19:26:19 UTC
Statement:

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat
Enterprise MRG did not include support for eCryptfs, and therefore are not
affected by this issue. A future update in Red Hat Enterprise Linux 6 may
address this flaw.  This was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0723.html.

Comment 16 errata-xmlrpc 2011-01-11 19:45:02 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html