611385 – (CVE-2010-2492) CVE-2010-2492 kernel: ecryptfs_uid_hash() buffer overflow

Bug 611385 (CVE-2010-2492) - CVE-2010-2492 kernel: ecryptfs_uid_hash() buffer overflow

Summary: CVE-2010-2492 kernel: ecryptfs_uid_hash() buffer overflow

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-2492
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	611386 611387 611388 626320
Blocks:
TreeView+	depends on / blocked

Reported:	2010-07-05 04:32 UTC by Eugene Teo (Security Response)
Modified:	2023-05-11 14:58 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-28 08:44:56 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0723	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2010-09-29 14:53:22 UTC
Red Hat Product Errata	RHSA-2011:0007	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2011-01-11 19:44:55 UTC

Description Eugene Teo (Security Response) 2010-07-05 04:32:42 UTC

Description of problem:
The function ecryptfs_uid_hash wrongly assumes that the second parameter to hash_long() is the number of hash buckets instead of the number of hash bits.
This patch fixes that and renames the variable ecryptfs_hash_buckets to ecryptfs_hash_bits to make it clearer.

Acknowledgements:

Red Hat would like to thank Andre Osterhues for reporting this issue.

Comment 2 Eugene Teo (Security Response) 2010-07-05 04:37:57 UTC

rhel-5 crw------- 1 root root 10, 61 Jul  5 03:51 /dev/ecryptfs
rhel-6 crw-rw----. 1 root root 10, 57 Jul  5 03:54 /dev/ecryptfs

On rhel-6, ecryptfs netlink transport has been removed (commit 624ae528) and /dev/ecryptfs is not world-writable. On rhel-5, we still have the ecryptfs netlink transport (commit 88b4a07e + f66e883e but without 624ae528) and so the issue may still be triggered by unprivileged users.

Comment 9 Eugene Teo (Security Response) 2010-08-02 06:59:45 UTC

Upstream commit:
http://git.kernel.org/linus/a6f80fb7b5986fda663d94079d3bba0937a6b6ff

Comment 10 Chuck Ebbert 2010-08-02 21:04:07 UTC

Fixed upstream in 2.6.35, 2.6.34.2, 2.6.33.7, 2.6.32.17 and 2.6.27.49

Comment 12 errata-xmlrpc 2010-09-29 14:53:30 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0723 https://rhn.redhat.com/errata/RHSA-2010-0723.html

Comment 13 Orlando Richards 2010-10-01 09:13:36 UTC

Is this issue mitigated by ensuring that the ecryptfs kernel module is not loaded?

Comment 14 Petr Matousek 2010-10-01 09:38:16 UTC

(In reply to comment #13)
> Is this issue mitigated by ensuring that the ecryptfs kernel module is not
> loaded?

Yes, ensuring that the ecryptfs module is not loaded will mitigate this issue.

Comment 15 Vincent Danen 2010-11-15 19:26:19 UTC

Statement:

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat
Enterprise MRG did not include support for eCryptfs, and therefore are not
affected by this issue. A future update in Red Hat Enterprise Linux 6 may
address this flaw.  This was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0723.html.

Comment 16 errata-xmlrpc 2011-01-11 19:45:02 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html

Note You need to log in before you can comment on or make changes to this bug.