* Patch "ASN.1: check for error from ASN1_OP_END__ACT actions" has been added to the 4.4-stable tree
@ 2017-12-11 22:17 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-12-11 22:17 UTC (permalink / raw)
To: ebiggers, dhowells, gregkh, james.l.morris; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
ASN.1: check for error from ASN1_OP_END__ACT actions
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
asn.1-check-for-error-from-asn1_op_end__act-actions.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Fri, 8 Dec 2017 15:13:27 +0000
Subject: ASN.1: check for error from ASN1_OP_END__ACT actions
From: Eric Biggers <ebiggers@google.com>
commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream.
asn1_ber_decoder() was ignoring errors from actions associated with the
opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT. In practice, this
meant the pkcs7_note_signed_info() action (since that was the only user
of those opcodes). Fix it by checking for the error, just like the
decoder does for actions associated with the other opcodes.
This bug allowed users to leak slab memory by repeatedly trying to add a
specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).
In theory, this bug could also be used to bypass module signature
verification, by providing a PKCS#7 message that is misparsed such that
a signature's ->authattrs do not contain its ->msgdigest. But it
doesn't seem practical in normal cases, due to restrictions on the
format of the ->authattrs.
Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/asn1_decoder.c | 2 ++
1 file changed, 2 insertions(+)
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -438,6 +438,8 @@ next_op:
else
act = machine[pc + 1];
ret = actions[act](context, hdr, 0, data + tdp, len);
+ if (ret < 0)
+ return ret;
}
pc += asn1_op_lengths[op];
goto next_op;
Patches currently in stable-queue which might be from ebiggers@google.com are
queue-4.4/x.509-reject-invalid-bit-string-for-subjectpublickey.patch
queue-4.4/asn.1-check-for-error-from-asn1_op_end__act-actions.patch
queue-4.4/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-12-11 22:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-11 22:17 Patch "ASN.1: check for error from ASN1_OP_END__ACT actions" has been added to the 4.4-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).