ecryptfs: Bugfix for error related to ecryptfs_hash_buckets

The function ecryptfs_uid_hash wrongly assumes that the
second parameter to hash_long() is the number of hash
buckets instead of the number of hash bits.
This patch fixes that and renames the variable
ecryptfs_hash_buckets to ecryptfs_hash_bits to make it
clearer.

Fixes: CVE-2010-2492
Signed-off-by: Andre Osterhues <aosterhues@escrypt.com>
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c
index 2d8dbce9d485e4a453903eb1f93473c5942155cc..46c4dd8dfcc3749acc04a03377c6740e280c519c 100644 (file)
--- a/fs/ecryptfs/messaging.c
+++ b/fs/ecryptfs/messaging.c
@@ -31,9 +31,9 @@ static struct mutex ecryptfs_msg_ctx_lists_mux;
 
 static struct hlist_head *ecryptfs_daemon_hash;
 struct mutex ecryptfs_daemon_hash_mux;
-static int ecryptfs_hash_buckets;
+static int ecryptfs_hash_bits;
 #define ecryptfs_uid_hash(uid) \
-        hash_long((unsigned long)uid, ecryptfs_hash_buckets)
+        hash_long((unsigned long)uid, ecryptfs_hash_bits)
 
 static u32 ecryptfs_msg_counter;
 static struct ecryptfs_msg_ctx *ecryptfs_msg_ctx_arr;
@@ -486,18 +486,19 @@ int ecryptfs_init_messaging(void)
        }
        mutex_init(&ecryptfs_daemon_hash_mux);
        mutex_lock(&ecryptfs_daemon_hash_mux);
-       ecryptfs_hash_buckets = 1;
-       while (ecryptfs_number_of_users >> ecryptfs_hash_buckets)
-               ecryptfs_hash_buckets++;
+       ecryptfs_hash_bits = 1;
+       while (ecryptfs_number_of_users >> ecryptfs_hash_bits)
+               ecryptfs_hash_bits++;
        ecryptfs_daemon_hash = kmalloc((sizeof(struct hlist_head)
-                                       * ecryptfs_hash_buckets), GFP_KERNEL);
+                                       * (1 << ecryptfs_hash_bits)),
+                                      GFP_KERNEL);
        if (!ecryptfs_daemon_hash) {
                rc = -ENOMEM;
                printk(KERN_ERR "%s: Failed to allocate memory\n", __func__);
                mutex_unlock(&ecryptfs_daemon_hash_mux);
                goto out;
        }
-       for (i = 0; i < ecryptfs_hash_buckets; i++)
+       for (i = 0; i < (1 << ecryptfs_hash_bits); i++)
                INIT_HLIST_HEAD(&ecryptfs_daemon_hash[i]);
        mutex_unlock(&ecryptfs_daemon_hash_mux);
        ecryptfs_msg_ctx_arr = kmalloc((sizeof(struct ecryptfs_msg_ctx)
@@ -554,7 +555,7 @@ void ecryptfs_release_messaging(void)
                int i;
 
                mutex_lock(&ecryptfs_daemon_hash_mux);
-               for (i = 0; i < ecryptfs_hash_buckets; i++) {
+               for (i = 0; i < (1 << ecryptfs_hash_bits); i++) {
                        int rc;
 
                        hlist_for_each_entry(daemon, elem,