Red Hat Bugzilla – Bug 527534
CVE-2009-2908 kernel ecryptfs NULL pointer dereference
Last modified: 2012-07-16 13:36:24 EDT
A flaw was found in ecryptfs which can result in a NULL pointer dereference. Quoting the commit message:
When calling vfs_unlink() on the lower dentry, d_delete() turns the
dentry into a negative dentry when the d_count is 1. This eventually
caused a NULL pointer deref when a read() or write() was done and the
negative dentry's d_inode was dereferenced in
ecryptfs_read_update_atime() or ecryptfs_getxattr().
The upstream commit is here:
There is a launchpad bug with more details here:
I suspect this flaw could result in arbitrary code execution, but I'm not 100% honestly. The pointer in question does contain function pointers. It's possible it's not, but my limited knowledge tells me to treat is as such.
MITRE's CVE-2009-2908 entry:
The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux
kernel 2.6.31 allows local users to cause a denial of service (kernel
OOPS) and possibly execute arbitrary code via unspecified vectors that
cause a "negative dentry" and trigger a NULL pointer dereference, as
demonstrated via a Mutt temporary directory in an eCryptfs mount.
kernel-220.127.116.11-170.2.104.fc10 has been submitted as an update for Fedora 10.
kernel-18.104.22.168-170.2.104.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
kernel-22.214.171.124-90.fc11 has been submitted as an update for Fedora 11.
kernel-126.96.36.199-90.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2009:1548 https://rhn.redhat.com/errata/RHSA-2009-1548.html