Bug 611385 (CVE-2010-2492) - CVE-2010-2492 kernel: ecryptfs_uid_hash() buffer overflow
Summary: CVE-2010-2492 kernel: ecryptfs_uid_hash() buffer overflow
Status: CLOSED ERRATA
Alias: CVE-2010-2492
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100713,source=vendor-sec,rep...
Keywords: Security
Depends On: 611386 611387 611388 626320
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-05 04:32 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 13:02 UTC (History)
14 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-03-28 08:44:56 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0723 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-09-29 14:53:22 UTC
Red Hat Product Errata RHSA-2011:0007 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-01-11 19:44:55 UTC

Description Eugene Teo (Security Response) 2010-07-05 04:32:42 UTC
Description of problem:
The function ecryptfs_uid_hash wrongly assumes that the second parameter to hash_long() is the number of hash buckets instead of the number of hash bits.
This patch fixes that and renames the variable ecryptfs_hash_buckets to ecryptfs_hash_bits to make it clearer.

Acknowledgements:

Red Hat would like to thank Andre Osterhues for reporting this issue.

Comment 2 Eugene Teo (Security Response) 2010-07-05 04:37:57 UTC
rhel-5 crw------- 1 root root 10, 61 Jul  5 03:51 /dev/ecryptfs
rhel-6 crw-rw----. 1 root root 10, 57 Jul  5 03:54 /dev/ecryptfs

On rhel-6, ecryptfs netlink transport has been removed (commit 624ae528) and /dev/ecryptfs is not world-writable. On rhel-5, we still have the ecryptfs netlink transport (commit 88b4a07e + f66e883e but without 624ae528) and so the issue may still be triggered by unprivileged users.

Comment 9 Eugene Teo (Security Response) 2010-08-02 06:59:45 UTC
Upstream commit:
http://git.kernel.org/linus/a6f80fb7b5986fda663d94079d3bba0937a6b6ff

Comment 10 Chuck Ebbert 2010-08-02 21:04:07 UTC
Fixed upstream in 2.6.35, 2.6.34.2, 2.6.33.7, 2.6.32.17 and 2.6.27.49

Comment 12 errata-xmlrpc 2010-09-29 14:53:30 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0723 https://rhn.redhat.com/errata/RHSA-2010-0723.html

Comment 13 Orlando Richards 2010-10-01 09:13:36 UTC
Is this issue mitigated by ensuring that the ecryptfs kernel module is not loaded?

Comment 14 Petr Matousek 2010-10-01 09:38:16 UTC
(In reply to comment #13)
> Is this issue mitigated by ensuring that the ecryptfs kernel module is not
> loaded?

Yes, ensuring that the ecryptfs module is not loaded will mitigate this issue.

Comment 15 Vincent Danen 2010-11-15 19:26:19 UTC
Statement:

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat
Enterprise MRG did not include support for eCryptfs, and therefore are not
affected by this issue. A future update in Red Hat Enterprise Linux 6 may
address this flaw.  This was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0723.html.

Comment 16 errata-xmlrpc 2011-01-11 19:45:02 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html


Note You need to log in before you can comment on or make changes to this bug.