Bug 611385 - (CVE-2010-2492) CVE-2010-2492 kernel: ecryptfs_uid_hash() buffer overflow
CVE-2010-2492 kernel: ecryptfs_uid_hash() buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20100713,source=vendor-sec,rep...
: Security
Depends On: 611386 611387 611388 626320
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-05 00:32 EDT by Eugene Teo (Security Response)
Modified: 2015-07-31 03:53 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-28 04:44:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-07-05 00:32:42 EDT
Description of problem:
The function ecryptfs_uid_hash wrongly assumes that the second parameter to hash_long() is the number of hash buckets instead of the number of hash bits.
This patch fixes that and renames the variable ecryptfs_hash_buckets to ecryptfs_hash_bits to make it clearer.

Acknowledgements:

Red Hat would like to thank Andre Osterhues for reporting this issue.
Comment 2 Eugene Teo (Security Response) 2010-07-05 00:37:57 EDT
rhel-5 crw------- 1 root root 10, 61 Jul  5 03:51 /dev/ecryptfs
rhel-6 crw-rw----. 1 root root 10, 57 Jul  5 03:54 /dev/ecryptfs

On rhel-6, ecryptfs netlink transport has been removed (commit 624ae528) and /dev/ecryptfs is not world-writable. On rhel-5, we still have the ecryptfs netlink transport (commit 88b4a07e + f66e883e but without 624ae528) and so the issue may still be triggered by unprivileged users.
Comment 9 Eugene Teo (Security Response) 2010-08-02 02:59:45 EDT
Upstream commit:
http://git.kernel.org/linus/a6f80fb7b5986fda663d94079d3bba0937a6b6ff
Comment 10 Chuck Ebbert 2010-08-02 17:04:07 EDT
Fixed upstream in 2.6.35, 2.6.34.2, 2.6.33.7, 2.6.32.17 and 2.6.27.49
Comment 12 errata-xmlrpc 2010-09-29 10:53:30 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0723 https://rhn.redhat.com/errata/RHSA-2010-0723.html
Comment 13 Orlando Richards 2010-10-01 05:13:36 EDT
Is this issue mitigated by ensuring that the ecryptfs kernel module is not loaded?
Comment 14 Petr Matousek 2010-10-01 05:38:16 EDT
(In reply to comment #13)
> Is this issue mitigated by ensuring that the ecryptfs kernel module is not
> loaded?

Yes, ensuring that the ecryptfs module is not loaded will mitigate this issue.
Comment 15 Vincent Danen 2010-11-15 14:26:19 EST
Statement:

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat
Enterprise MRG did not include support for eCryptfs, and therefore are not
affected by this issue. A future update in Red Hat Enterprise Linux 6 may
address this flaw.  This was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0723.html.
Comment 16 errata-xmlrpc 2011-01-11 14:45:02 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html

Note You need to log in before you can comment on or make changes to this bug.