From: Lukas Wunner <lukas@wunner.de>
To: Thorsten Blum <thorsten.blum@linux.dev>
Cc: David Howells <dhowells@redhat.com>,
Ignat Korchagin <ignat@cloudflare.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Date: Sun, 12 Oct 2025 09:38:44 +0200 [thread overview]
Message-ID: <aOtbBJtU2NixkYuE@wunner.de> (raw)
In-Reply-To: <20251007185220.234611-2-thorsten.blum@linux.dev>
On Tue, Oct 07, 2025 at 08:52:20PM +0200, Thorsten Blum wrote:
> +++ b/crypto/asymmetric_keys/asymmetric_type.c
> @@ -141,12 +142,13 @@ struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
> size_t len_2)
> {
> struct asymmetric_key_id *kid;
> + size_t len;
>
> - kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2,
> - GFP_KERNEL);
> + len = size_add(len_1, len_2);
> + kid = kmalloc(struct_size(kid, data, len), GFP_KERNEL);
> if (!kid)
> return ERR_PTR(-ENOMEM);
This should error out on overflow, rather than continuing with a
SIZE_MAX length. So how about using check_add_overflow() instead
of size_add() and returning -EOVERFLOW if that returns true?
asymmetric_key_generate_id() is invoked, among other things, with
the raw serial number from the X.509 certificate, which is an
ASN.1 INTEGER, which can be arbitrarily large. (You may want to
mention that in the commit message.) So checking for overflows
does seem to make sense to guard against maliciously crafted
certificates.
Thanks,
Lukas
prev parent reply other threads:[~2025-10-12 7:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-07 18:52 [PATCH 1/2] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Thorsten Blum
2025-10-07 18:52 ` [PATCH 2/2] crypto: asymmetric_keys - simplify asymmetric_key_hex_to_key_id Thorsten Blum
2025-10-12 12:10 ` Lukas Wunner
2025-10-12 13:23 ` Thorsten Blum
2025-10-13 7:00 ` Lukas Wunner
2025-10-12 7:38 ` Lukas Wunner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aOtbBJtU2NixkYuE@wunner.de \
--to=lukas@wunner.de \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=thorsten.blum@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox