From: sashiko-bot@kernel.org
To: alistair23@gmail.com
Cc: linux-pci@vger.kernel.org, ojeda@kernel.org
Subject: Re: [PATCH 04/18] X.509: Move certificate length retrieval into new helper
Date: Fri, 08 May 2026 03:39:17 +0000 [thread overview]
Message-ID: <20260508033917.B5873C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260508031710.514574-5-alistair.francis@wdc.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The exported helper `x509_get_certificate_length()` uses a flawed logical condition (`&&` instead of `||`) that fails to properly validate ASN.1 headers, leading to parser differentials, incorrect length calculations, and functional failures.
--
commit 0f604cd0b6dd899bd029f10862a9b7010589e559
Author: Lukas Wunner <lukas@wunner.de>
X.509: Move certificate length retrieval into new helper
This commit extracts the certificate length parsing logic from
x509_load_certificate_list() into a newly exported helper,
x509_get_certificate_length(), to be reused by the upcoming in-kernel
SPDM library.
> diff --git a/crypto/asymmetric_keys/x509_loader.c b/crypto/asymmetric_keys/x509_loader.c
> index a417413269989..25ff027fad1d3 100644
> --- a/crypto/asymmetric_keys/x509_loader.c
> +++ b/crypto/asymmetric_keys/x509_loader.c
> @@ -4,28 +4,42 @@
> #include <linux/key.h>
> #include <keys/asymmetric-type.h>
>
> +ssize_t x509_get_certificate_length(const u8 *p, unsigned long buflen)
> +{
> + ssize_t plen;
> +
> + /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
> + * than 256 bytes in size.
> + */
> + if (buflen < 4)
> + return -EINVAL;
> +
> + if (p[0] != 0x30 &&
> + p[1] != 0x82)
> + return -EINVAL;
Does this logical condition properly enforce the expected ASN.1 header?
If an untrusted device supplies a valid certificate smaller than 256 bytes
using a 1-byte length encoding (for example p[0] = 0x30, p[1] = 0x81), this
check evaluates to false because p[0] is equal to 0x30. This allows the
short certificate to bypass the check.
> +
> + plen = (p[2] << 8) | p[3];
> + plen += 4;
If a short certificate bypasses the check above, does this calculate an
incorrect length?
For a 1-byte length encoding, p[2] would be the actual length and p[3]
would be the first byte of the payload, resulting in a potentially very
large calculated length.
If this bogus length exceeds the buffer size, it would return an error and
cause functional failures. If the length is within the buffer size, could
it advance the offset incorrectly and cause parser desynchronization by
skipping over subsequent certificates or payload data?
> + if (plen > buflen)
> + return -EINVAL;
> +
> + return plen;
> +}
> +EXPORT_SYMBOL_GPL(x509_get_certificate_length);
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260508031710.514574-1-alistair.francis@wdc.com?part=4
next prev parent reply other threads:[~2026-05-08 3:39 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 3:16 [PATCH 00/18] lib: Rust implementation of SPDM alistair23
2026-05-08 3:16 ` [PATCH 01/18] rust: add untrusted data abstraction alistair23
2026-05-08 3:52 ` sashiko-bot
2026-05-08 5:17 ` Dirk Behme
2026-05-08 3:16 ` [PATCH 02/18] X.509: Make certificate parser public alistair23
2026-05-08 3:45 ` sashiko-bot
2026-05-08 3:16 ` [PATCH 03/18] X.509: Parse Subject Alternative Name in certificates alistair23
2026-05-08 3:16 ` [PATCH 04/18] X.509: Move certificate length retrieval into new helper alistair23
2026-05-08 3:39 ` sashiko-bot [this message]
2026-05-08 3:16 ` [PATCH 05/18] rust: add bindings for hash.h alistair23
2026-05-08 3:43 ` sashiko-bot
2026-05-08 3:16 ` [PATCH 06/18] rust: error: impl From<FromBytesWithNulError> for Kernel Error alistair23
2026-05-08 3:51 ` sashiko-bot
2026-05-08 3:16 ` [PATCH 07/18] lib: rspdm: Initial commit of Rust SPDM alistair23
2026-05-08 3:41 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 08/18] PCI/TSM: Support connecting to PCIe CMA devices alistair23
2026-05-08 3:17 ` [PATCH 09/18] PCI/CMA: Add a PCI TSM CMA driver using SPDM alistair23
2026-05-08 5:02 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 10/18] PCI/CMA: Validate Subject Alternative Name in certificates alistair23
2026-05-08 3:58 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 11/18] lib: rspdm: Support SPDM get_version alistair23
2026-05-08 3:50 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 12/18] lib: rspdm: Support SPDM get_capabilities alistair23
2026-05-08 4:05 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 13/18] lib: rspdm: Support SPDM negotiate_algorithms alistair23
2026-05-08 4:05 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 14/18] lib: rspdm: Support SPDM get_digests alistair23
2026-05-08 4:06 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 15/18] lib: rspdm: Support SPDM get_certificate alistair23
2026-05-08 4:23 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 16/18] lib: rspdm: Support SPDM certificate validation alistair23
2026-05-08 4:25 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 17/18] rust: allow extracting the buffer from a CString alistair23
2026-05-08 3:17 ` [PATCH 18/18] lib: rspdm: Support SPDM challenge alistair23
2026-05-08 4:19 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508033917.B5873C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alistair23@gmail.com \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox