Vigil@nce - Linux kernel: buffer overflow of ecryptfs_hash_buckets
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can generate a buffer overflow in ecryptfs, in
order to elevate his privileges.
Severity: 2/4
Creation date: 03/08/2010
DESCRIPTION OF THE VULNERABILITY
The Linux kernel uses ecryptfs to encrypt/decrypt files on the fly.
The fs/ecryptfs/messaging.c file uses the ecryptfs_hash_buckets
variable to store the number of bits of the storage area for
hlist_head structures. However, ecryptfs_hash_buckets is used as
if it were the number of hlist_head structures. For example, if
ecryptfs_hash_buckets is set to 3, there are 8 structures (1<<3)
instead of 3. As this variable is used to compute the size of a
memory area to allocate with kmalloc(), the memory area is too
short.
A local attacker can therefore generate a buffer overflow in
ecryptfs, in order to elevate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-of-ecryptfs-hash-buckets-9808