summaryrefslogtreecommitdiffstats
path: root/retired/CVE-2016-1583
blob: 0dd2e903f6b10b235b66e2947b66387a2738eb33 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Description: eCryptfs layered over procfs can trigger stack overflow
References:
 http://www.openwall.com/lists/oss-security/2016/06/10/8
Notes:
 carnil> backport to kernels pre 4.6 need to cherry-pick 6a480a7842545ec520a91730209ec0bae41694c1 (4.6)
 carnil> as well.
 bwh> The issue here is:
 bwh> 1. ecryptfs never uses mmap() on the lower file, so did not check
 bwh>    that it was implemented.
 bwh> 2. procfs includes files that map to (part of) a process's VM.
 bwh> 3. mount.ecryptfs_private is setuid-root and allows layering over any
 bwh>    directory owned by the caller.
 bwh> So it was possible to mmap part of an ecryptfs file layered on a procfs
 bwh> file that maps to another mmapped region, and then to chain mappings
 bwh> to an arbitrary depth.  This could result in calling page fault
 bwh> handlers recursively, again to an arbitrary depth.  Either the procfs
 bwh> change *or* the ecryptfs change should be sufficient to fix this.
 bwh> The procfs fix depends on commit 69c433ed2ecd (3.18) which is an ABI
 bwh> breaker.
 bwh> The ecryptfs fix depends on the commit carnil mentioned.
 bwh> The first ecryptfs fix prevents reading directories on many underlying
 bwh> filesystems.  It was reverted upstream and replaced with commit
 bwh> f0fe970df383.  But with this version it's important to have the procfs
 bwh> fix as well.
Bugs:
upstream: released (4.7-rc3) [e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9, 2f36db71009304b3f0b95afacd8eba1f9f046b87, 29d6455178a09e1dc340380c582b13356227e8df]
3.16-upstream-stable: released (3.16.37) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch]
3.2-upstream-stable: released (3.2.82) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch]
sid: released (4.6.2-1) [bugfix/all/proc-prevent-stacking-filesystems-on-top.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch, bugfix/all/sched-panic-on-corrupted-stack-end.patch]
3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch]
3.2-wheezy-security: released (3.2.81-1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch]

© 2014-2024 Faster IT GmbH | imprint | privacy policy