Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a6f80fb7 authored by Andre Osterhues's avatar Andre Osterhues Committed by Linus Torvalds
Browse files

ecryptfs: Bugfix for error related to ecryptfs_hash_buckets 



The function ecryptfs_uid_hash wrongly assumes that the
second parameter to hash_long() is the number of hash
buckets instead of the number of hash bits.
This patch fixes that and renames the variable
ecryptfs_hash_buckets to ecryptfs_hash_bits to make it
clearer.

Fixes: CVE-2010-2492

Signed-off-by: default avatarAndre Osterhues <aosterhues@escrypt.com>
Signed-off-by: default avatarTyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 6c50e1a4

fs/ecryptfs/messaging.c

+9 −8
Original line number Diff line number Diff line
@@ -31,9 +31,9 @@ static struct mutex ecryptfs_msg_ctx_lists_mux; 


static struct hlist_head *ecryptfs_daemon_hash;

struct mutex ecryptfs_daemon_hash_mux;

static int ecryptfs_hash_buckets;

static int ecryptfs_hash_bits;

#define ecryptfs_uid_hash(uid) \

        hash_long((unsigned long)uid, ecryptfs_hash_buckets)

        hash_long((unsigned long)uid, ecryptfs_hash_bits)



static u32 ecryptfs_msg_counter;

static struct ecryptfs_msg_ctx *ecryptfs_msg_ctx_arr;
@@ -486,18 +486,19 @@ int ecryptfs_init_messaging(void) 
	}

	mutex_init(&ecryptfs_daemon_hash_mux);

	mutex_lock(&ecryptfs_daemon_hash_mux);

	ecryptfs_hash_buckets = 1;

	while (ecryptfs_number_of_users >> ecryptfs_hash_buckets)

		ecryptfs_hash_buckets++;

	ecryptfs_hash_bits = 1;

	while (ecryptfs_number_of_users >> ecryptfs_hash_bits)

		ecryptfs_hash_bits++;

	ecryptfs_daemon_hash = kmalloc((sizeof(struct hlist_head)

					* ecryptfs_hash_buckets), GFP_KERNEL);

					* (1 << ecryptfs_hash_bits)),

				       GFP_KERNEL);

	if (!ecryptfs_daemon_hash) {

		rc = -ENOMEM;

		printk(KERN_ERR "%s: Failed to allocate memory\n", __func__);

		mutex_unlock(&ecryptfs_daemon_hash_mux);

		goto out;

	}

	for (i = 0; i < ecryptfs_hash_buckets; i++)

	for (i = 0; i < (1 << ecryptfs_hash_bits); i++)

		INIT_HLIST_HEAD(&ecryptfs_daemon_hash[i]);

	mutex_unlock(&ecryptfs_daemon_hash_mux);

	ecryptfs_msg_ctx_arr = kmalloc((sizeof(struct ecryptfs_msg_ctx)
@@ -554,7 +555,7 @@ void ecryptfs_release_messaging(void) 
		int i;



		mutex_lock(&ecryptfs_daemon_hash_mux);

		for (i = 0; i < ecryptfs_hash_buckets; i++) {

		for (i = 0; i < (1 << ecryptfs_hash_bits); i++) {

			int rc;



			hlist_for_each_entry(daemon, elem,