[PATCH 3.18 19/28] KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, syzbot <syzkaller@googlegroups.com>,
	Eric Biggers <ebiggers@google.com>,
	David Howells <dhowells@redhat.com>,
	James Morris <james.l.morris@oracle.com>
Subject: [PATCH 3.18 19/28] KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
Date: Mon, 13 Nov 2017 13:55:13 +0100	[thread overview]
Message-ID: <20171113125402.551774341@linuxfoundation.org> (raw)
In-Reply-To: <20171113125400.803506921@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 624f5ab8720b3371367327a822c267699c1823b8 upstream.

syzkaller reported a NULL pointer dereference in asn1_ber_decoder().  It
can be reproduced by the following command, assuming
CONFIG_PKCS7_TEST_KEY=y:

        keyctl add pkcs7_test desc '' @s

The bug is that if the data buffer is empty, an integer underflow occurs
in the following check:

        if (unlikely(dp >= datalen - 1))
                goto data_overrun_error;

This results in the NULL data pointer being dereferenced.

Fix it by checking for 'datalen - dp < 2' instead.

Also fix the similar check for 'dp >= datalen - n' later in the same
function.  That one possibly could result in a buffer overread.

The NULL pointer dereference was reproducible using the "pkcs7_test" key
type but not the "asymmetric" key type because the "asymmetric" key type
checks for a 0-length payload before calling into the ASN.1 decoder but
the "pkcs7_test" key type does not.

The bug report was:

    BUG: unable to handle kernel NULL pointer dereference at           (null)
    IP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
    PGD 7b708067 P4D 7b708067 PUD 7b6ee067 PMD 0
    Oops: 0000 [#1] SMP
    Modules linked in:
    CPU: 0 PID: 522 Comm: syz-executor1 Not tainted 4.14.0-rc8 #7
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
    task: ffff9b6b3798c040 task.stack: ffff9b6b37970000
    RIP: 0010:asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
    RSP: 0018:ffff9b6b37973c78 EFLAGS: 00010216
    RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000021c
    RDX: ffffffff814a04ed RSI: ffffb1524066e000 RDI: ffffffff910759e0
    RBP: ffff9b6b37973d60 R08: 0000000000000001 R09: ffff9b6b3caa4180
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    FS:  00007f10ed1f2700(0000) GS:ffff9b6b3ea00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 000000007b6f3000 CR4: 00000000000006f0
    Call Trace:
     pkcs7_parse_message+0xee/0x240 crypto/asymmetric_keys/pkcs7_parser.c:139
     verify_pkcs7_signature+0x33/0x180 certs/system_keyring.c:216
     pkcs7_preparse+0x41/0x70 crypto/asymmetric_keys/pkcs7_key_type.c:63
     key_create_or_update+0x180/0x530 security/keys/key.c:855
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0xbf/0x250 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x4585c9
    RSP: 002b:00007f10ed1f1bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000f8
    RAX: ffffffffffffffda RBX: 00007f10ed1f2700 RCX: 00000000004585c9
    RDX: 0000000020000000 RSI: 0000000020008ffb RDI: 0000000020008000
    RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff1b2260ae
    R13: 00007fff1b2260af R14: 00007f10ed1f2700 R15: 0000000000000000
    Code: dd ca ff 48 8b 45 88 48 83 e8 01 4c 39 f0 0f 86 a8 07 00 00 e8 53 dd ca ff 49 8d 46 01 48 89 85 58 ff ff ff 48 8b 85 60 ff ff ff <42> 0f b6 0c 30 89 c8 88 8d 75 ff ff ff 83 e0 1f 89 8d 28 ff ff
    RIP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 RSP: ffff9b6b37973c78
    CR2: 0000000000000000

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/asn1_decoder.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -220,7 +220,7 @@ next_op:
 		hdr = 2;
 
 		/* Extract a tag from the data */
-		if (unlikely(dp >= datalen - 1))
+		if (unlikely(datalen - dp < 2))
 			goto data_overrun_error;
 		tag = data[dp++];
 		if (unlikely((tag & 0x1f) == ASN1_LONG_TAG))
@@ -266,7 +266,7 @@ next_op:
 				int n = len - 0x80;
 				if (unlikely(n > 2))
 					goto length_too_long;
-				if (unlikely(dp >= datalen - n))
+				if (unlikely(n > datalen - dp))
 					goto data_overrun_error;
 				hdr += n;
 				for (len = 0; n > 0; n--) {

next prev parent reply	other threads:[~2017-11-13 12:56 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-13 12:54 [PATCH 3.18 00/28] 3.18.81-stable review Greg Kroah-Hartman
2017-11-13 12:54 ` [PATCH 3.18 01/28] video: fbdev: pmag-ba-fb: Remove bad `__init annotation Greg Kroah-Hartman
2017-11-13 12:54 ` [PATCH 3.18 02/28] xen/netback: set default upper limit of tx/rx queues to 8 Greg Kroah-Hartman
2017-11-13 12:54 ` [PATCH 3.18 03/28] ARM: dts: imx53-qsb-common: fix FEC pinmux config Greg Kroah-Hartman
2017-11-16  4:08   ` Patrick Brünn
2017-11-13 12:54 ` [PATCH 3.18 05/28] ARM: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6 Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 06/28] iio: trigger: free trigger resource correctly Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 07/28] dt-bindings: Add LEGO MINDSTORMS EV3 compatible specification Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 08/28] dt-bindings: Add vendor prefix for LEGO Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 10/28] serial: sh-sci: Fix register offsets for the IRDA serial port Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 11/28] usb: hcd: initialize hcd->flags to 0 when rm hcd Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 12/28] IPsec: do not ignore crypto err in ah4 input Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 13/28] Input: mpr121 - handle multiple bits change of status register Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 14/28] Input: mpr121 - set missing event capability Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 15/28] IB/ipoib: Change list_del to list_del_init in the tx object Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 16/28] KEYS: trusted: sanitize all key material Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 17/28] KEYS: trusted: fix writing past end of buffer in trusted_read() Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 18/28] crypto: x86/sha1-mb - fix panic due to unaligned access Greg Kroah-Hartman
2017-11-13 12:55 ` Greg Kroah-Hartman [this message]
2017-11-13 12:55 ` [PATCH 3.18 20/28] ARM: 8720/1: ensure dump_instr() checks addr_limit Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 21/28] ALSA: seq: Fix OSS sysex delivery in OSS emulation Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 22/28] ALSA: seq: Avoid invalid lockdep class warning Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 23/28] MIPS: microMIPS: Fix incorrect mask in insn_table_MM Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 24/28] MIPS: Fix CM region target definitions Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 25/28] MIPS: AR7: Ensure that serial ports are properly set up Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 26/28] rbd: use GFP_NOIO for parent stat and data requests Greg Kroah-Hartman
2017-11-13 12:55 ` [PATCH 3.18 28/28] x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context Greg Kroah-Hartman
2017-11-13 21:50 ` [PATCH 3.18 00/28] 3.18.81-stable review Shuah Khan
2017-11-14  7:43   ` Greg Kroah-Hartman
2017-11-13 22:27 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171113125402.551774341@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dhowells@redhat.com \
    --cc=ebiggers@google.com \
    --cc=james.l.morris@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.