<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/fs/ecryptfs, branch v3.2.4</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/fs/ecryptfs?h=v3.2.4</id>
<link rel='self' href='https://git.amat.us/linux/atom/fs/ecryptfs?h=v3.2.4'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2012-02-03T17:21:24Z</updated>
<entry>
<title>eCryptfs: Fix oops when printing debug info in extent crypto functions</title>
<updated>2012-02-03T17:21:24Z</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@canonical.com</email>
</author>
<published>2012-01-24T16:02:22Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=1924fe5874a85f2b25ebb38089e11a6a637e8441'/>
<id>urn:sha1:1924fe5874a85f2b25ebb38089e11a6a637e8441</id>
<content type='text'>
commit 58ded24f0fcb85bddb665baba75892f6ad0f4b8a upstream.

If pages passed to the eCryptfs extent-based crypto functions are not
mapped and the module parameter ecryptfs_verbosity=1 was specified at
loading time, a NULL pointer dereference will occur.

Note that this wouldn't happen on a production system, as you wouldn't
pass ecryptfs_verbosity=1 on a production system. It leaks private
information to the system logs and is for debugging only.

The debugging info printed in these messages is no longer very useful
and rather than doing a kmap() in these debugging paths, it will be
better to simply remove the debugging paths completely.

https://launchpad.net/bugs/913651

Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>eCryptfs: Check inode changes in setattr</title>
<updated>2012-02-03T17:21:24Z</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@canonical.com</email>
</author>
<published>2012-01-20T02:33:44Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=963f50802b55b7df757ec9c44ccab130524c4d54'/>
<id>urn:sha1:963f50802b55b7df757ec9c44ccab130524c4d54</id>
<content type='text'>
commit a261a03904849c3df50bd0300efb7fb3f865137d upstream.

Most filesystems call inode_change_ok() very early in -&gt;setattr(), but
eCryptfs didn't call it at all. It allowed the lower filesystem to make
the call in its -&gt;setattr() function. Then, eCryptfs would copy the
appropriate inode attributes from the lower inode to the eCryptfs inode.

This patch changes that and actually calls inode_change_ok() on the
eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
would happen earlier in ecryptfs_setattr(), but there are some possible
inode initialization steps that must happen first.

Since the call was already being made on the lower inode, the change in
functionality should be minimal, except for the case of a file extending
truncate call. In that case, inode_newsize_ok() was never being
called on the eCryptfs inode. Rather than inode_newsize_ok() catching
maximum file size errors early on, eCryptfs would encrypt zeroed pages
and write them to the lower filesystem until the lower filesystem's
write path caught the error in generic_write_checks(). This patch
introduces a new function, called ecryptfs_inode_newsize_ok(), which
checks if the new lower file size is within the appropriate limits when
the truncate operation will be growing the lower file.

In summary this change prevents eCryptfs truncate operations (and the
resulting page encryptions), which would exceed the lower filesystem
limits or FSIZE rlimits, from ever starting.

Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Reviewed-by: Li Wang &lt;liwang@nudt.edu.cn&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>eCryptfs: Make truncate path killable</title>
<updated>2012-02-03T17:21:23Z</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@canonical.com</email>
</author>
<published>2012-01-19T00:30:04Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=ccc10d459b66cedf2f3fa1a1c8432596085d3f56'/>
<id>urn:sha1:ccc10d459b66cedf2f3fa1a1c8432596085d3f56</id>
<content type='text'>
commit 5e6f0d769017cc49207ef56996e42363ec26c1f0 upstream.

ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
page, zeroes out the appropriate portions, and then encrypts the page
before writing it to the lower filesystem. It was unkillable and due to
the lack of sparse file support could result in tying up a large portion
of system resources, while encrypting pages of zeros, with no way for
the truncate operation to be stopped from userspace.

This patch adds the ability for ecryptfs_write() to detect a pending
fatal signal and return as gracefully as possible. The intent is to
leave the lower file in a useable state, while still allowing a user to
break out of the encryption loop. If a pending fatal signal is detected,
the eCryptfs inode size is updated to reflect the modified inode size
and then -EINTR is returned.

Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>ecryptfs: Improve metadata read failure logging</title>
<updated>2012-02-03T17:21:23Z</updated>
<author>
<name>Tim Gardner</name>
<email>tim.gardner@canonical.com</email>
</author>
<published>2012-01-12T15:31:55Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=75d26d309c717c8598762773668be149296cf470'/>
<id>urn:sha1:75d26d309c717c8598762773668be149296cf470</id>
<content type='text'>
commit 30373dc0c87ffef68d5628e77d56ffb1fa22e1ee upstream.

Print inode on metadata read failure. The only real
way of dealing with metadata read failures is to delete
the underlying file system file. Having the inode
allows one to 'find . -inum INODE`.

[tyhicks@canonical.com: Removed some minor not-for-stable parts]
Signed-off-by: Tim Gardner &lt;tim.gardner@canonical.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>eCryptfs: Sanitize write counts of /dev/ecryptfs</title>
<updated>2012-02-03T17:21:22Z</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@canonical.com</email>
</author>
<published>2012-01-12T10:30:44Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=2f46e90c60464cdc61c73c39efc3ff7792f670e1'/>
<id>urn:sha1:2f46e90c60464cdc61c73c39efc3ff7792f670e1</id>
<content type='text'>
commit db10e556518eb9d21ee92ff944530d84349684f4 upstream.

A malicious count value specified when writing to /dev/ecryptfs may
result in a a very large kernel memory allocation.

This patch peeks at the specified packet payload size, adds that to the
size of the packet headers and compares the result with the write count
value. The resulting maximum memory allocation size is approximately 532
bytes.

Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Reported-by: Sasha Levin &lt;levinsasha928@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>eCryptfs: Extend array bounds for all filename chars</title>
<updated>2011-11-23T21:43:53Z</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@canonical.com</email>
</author>
<published>2011-11-23T17:31:24Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=0f751e641a71157aa584c2a2e22fda52b52b8a56'/>
<id>urn:sha1:0f751e641a71157aa584c2a2e22fda52b52b8a56</id>
<content type='text'>
From mhalcrow's original commit message:

    Characters with ASCII values greater than the size of
    filename_rev_map[] are valid filename characters.
    ecryptfs_decode_from_filename() will access kernel memory beyond
    that array, and ecryptfs_parse_tag_70_packet() will then decrypt
    those characters. The attacker, using the FNEK of the crafted file,
    can then re-encrypt the characters to reveal the kernel memory past
    the end of the filename_rev_map[] array. I expect low security
    impact since this array is statically allocated in the text area,
    and the amount of memory past the array that is accessible is
    limited by the largest possible ASCII filename character.

This patch solves the issue reported by mhalcrow but with an
implementation suggested by Linus to simply extend the length of
filename_rev_map[] to 256. Characters greater than 0x7A are mapped to
0x00, which is how invalid characters less than 0x7A were previously
being handled.

Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Reported-by: Michael Halcrow &lt;mhalcrow@google.com&gt;
Cc: stable@kernel.org
</content>
</entry>
<entry>
<title>eCryptfs: Flush file in vma close</title>
<updated>2011-11-23T21:40:09Z</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@canonical.com</email>
</author>
<published>2011-11-21T23:31:29Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=32001d6fe9ac6b0423e674a3093aa56740849f3b'/>
<id>urn:sha1:32001d6fe9ac6b0423e674a3093aa56740849f3b</id>
<content type='text'>
Dirty pages weren't being written back when an mmap'ed eCryptfs file was
closed before the mapping was unmapped. Since f_ops-&gt;flush() is not
called by the munmap() path, the lower file was simply being released.
This patch flushes the eCryptfs file in the vm_ops-&gt;close() path.

https://launchpad.net/bugs/870326

Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Cc: stable@kernel.org [2.6.39+]
</content>
</entry>
<entry>
<title>eCryptfs: Prevent file create race condition</title>
<updated>2011-11-23T21:39:38Z</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@canonical.com</email>
</author>
<published>2011-11-21T23:31:02Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=b59db43ad4434519feb338eacb01d77eb50825c5'/>
<id>urn:sha1:b59db43ad4434519feb338eacb01d77eb50825c5</id>
<content type='text'>
The file creation path prematurely called d_instantiate() and
unlock_new_inode() before the eCryptfs inode info was fully
allocated and initialized and before the eCryptfs metadata was written
to the lower file.

This could result in race conditions in subsequent file and inode
operations leading to unexpected error conditions or a null pointer
dereference while attempting to use the unallocated memory.

https://launchpad.net/bugs/813146

Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Cc: stable@kernel.org
</content>
</entry>
<entry>
<title>filesystems: add set_nlink()</title>
<updated>2011-11-02T11:53:43Z</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@suse.cz</email>
</author>
<published>2011-10-28T12:13:29Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=bfe8684869601dacfcb2cd69ef8cfd9045f62170'/>
<id>urn:sha1:bfe8684869601dacfcb2cd69ef8cfd9045f62170</id>
<content type='text'>
Replace remaining direct i_nlink updates with a new set_nlink()
updater function.

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Tested-by: Toshiyuki Okajima &lt;toshi.okajima@jp.fujitsu.com&gt;
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
</content>
</entry>
<entry>
<title>treewide: use __printf not __attribute__((format(printf,...)))</title>
<updated>2011-11-01T00:30:54Z</updated>
<author>
<name>Joe Perches</name>
<email>joe@perches.com</email>
</author>
<published>2011-11-01T00:11:33Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=b9075fa968a0a4347aef35e235e2995c0e57dddd'/>
<id>urn:sha1:b9075fa968a0a4347aef35e235e2995c0e57dddd</id>
<content type='text'>
Standardize the style for compiler based printf format verification.
Standardized the location of __printf too.

Done via script and a little typing.

$ grep -rPl --include=*.[ch] -w "__attribute__" * | \
  grep -vP "^(tools|scripts|include/linux/compiler-gcc.h)" | \
  xargs perl -n -i -e 'local $/; while (&lt;&gt;) { s/\b__attribute__\s*\(\s*\(\s*format\s*\(\s*printf\s*,\s*(.+)\s*,\s*(.+)\s*\)\s*\)\s*\)/__printf($1, $2)/g ; print; }'

[akpm@linux-foundation.org: revert arch bits]
Signed-off-by: Joe Perches &lt;joe@perches.com&gt;
Cc: "Kirill A. Shutemov" &lt;kirill@shutemov.name&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
</feed>
