From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
David Howells <dhowells@redhat.com>,
James Morris <james.l.morris@oracle.com>
Subject: [PATCH 4.13 06/36] KEYS: fix out-of-bounds read during ASN.1 parsing
Date: Mon, 6 Nov 2017 10:12:19 +0100 [thread overview]
Message-ID: <20171106085047.274517448@linuxfoundation.org> (raw)
In-Reply-To: <20171106085047.005824077@linuxfoundation.org>
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 2eb9eabf1e868fda15808954fb29b0f105ed65f1 upstream.
syzkaller with KASAN reported an out-of-bounds read in
asn1_ber_decoder(). It can be reproduced by the following command,
assuming CONFIG_X509_CERTIFICATE_PARSER=y and CONFIG_KASAN=y:
keyctl add asymmetric desc $'\x30\x30' @s
The bug is that the length of an ASN.1 data value isn't validated in the
case where it is encoded using the short form, causing the decoder to
read past the end of the input buffer. Fix it by validating the length.
The bug report was:
BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233
Read of size 1 at addr ffff88003cccfa02 by task syz-executor0/6818
CPU: 1 PID: 6818 Comm: syz-executor0 Not tainted 4.14.0-rc7-00008-g5f479447d983 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0xb3/0x10b lib/dump_stack.c:52
print_address_description+0x79/0x2a0 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x236/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233
x509_cert_parse+0x1db/0x650 crypto/asymmetric_keys/x509_cert_parser.c:89
x509_key_preparse+0x64/0x7a0 crypto/asymmetric_keys/x509_public_key.c:174
asymmetric_key_preparse+0xcb/0x1a0 crypto/asymmetric_keys/asymmetric_type.c:388
key_create_or_update+0x347/0xb20 security/keys/key.c:855
SYSC_add_key security/keys/keyctl.c:122 [inline]
SyS_add_key+0x1cd/0x340 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x447c89
RSP: 002b:00007fca7a5d3bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 00007fca7a5d46cc RCX: 0000000000447c89
RDX: 0000000020006f4a RSI: 0000000020006000 RDI: 0000000020001ff5
RBP: 0000000000000046 R08: fffffffffffffffd R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fca7a5d49c0 R15: 00007fca7a5d4700
Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/asn1_decoder.c | 3 +++
1 file changed, 3 insertions(+)
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -284,6 +284,9 @@ next_op:
if (unlikely(len > datalen - dp))
goto data_overrun_error;
}
+ } else {
+ if (unlikely(len > datalen - dp))
+ goto data_overrun_error;
}
if (flags & FLAG_CONS) {
next prev parent reply other threads:[~2017-11-06 9:12 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-06 9:12 [PATCH 4.13 00/36] 4.13.12-stable review Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 01/36] ALSA: timer: Add missing mutex lock for compat ioctls Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 02/36] ALSA: seq: Fix nested rwsem annotation for lockdep splat Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 03/36] cifs: check MaxPathNameComponentLength != 0 before using it Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 04/36] KEYS: return full count in keyring_read() if buffer is too small Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 05/36] KEYS: trusted: fix writing past end of buffer in trusted_read() Greg Kroah-Hartman
2017-11-06 9:12 ` Greg Kroah-Hartman [this message]
2017-11-06 9:12 ` [PATCH 4.13 07/36] ASoC: adau17x1: Workaround for noise bug in ADC Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 08/36] virtio_blk: Fix an SG_IO regression Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 09/36] PM / QoS: Fix device resume latency PM QoS Greg Kroah-Hartman
2017-11-07 0:51 ` Rafael J. Wysocki
2017-11-07 10:32 ` Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 10/36] PM / QoS: Fix default runtime_pm device resume latency Greg Kroah-Hartman
2017-11-07 0:51 ` Rafael J. Wysocki
2017-11-06 9:12 ` [PATCH 4.13 11/36] arm64: ensure __dump_instr() checks addr_limit Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 12/36] KVM: arm64: its: Fix missing dynamic allocation check in scan_its_table Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 13/36] arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 14/36] arm/arm64: kvm: Disable branch profiling in HYP code Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 15/36] ARM: dts: mvebu: pl310-cache disable double-linefill Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 16/36] ARM: 8715/1: add a private asm/unaligned.h Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 17/36] drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 18/36] drm/amdgpu: allow harvesting check for Polaris VCE Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 19/36] userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 20/36] ocfs2: fstrim: Fix start offset of first cluster group during fstrim Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 21/36] fs/hugetlbfs/inode.c: fix hwpoison reserve accounting Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 22/36] mm, swap: fix race between swap count continuation operations Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 25/36] Revert "powerpc64/elfv1: Only dereference function descriptor for non-text symbols" Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 26/36] MIPS: bpf: Fix a typo in build_one_insn() Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 28/36] MIPS: microMIPS: Fix incorrect mask in insn_table_MM Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 29/36] MIPS: SMP: Fix deadlock & online race Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 30/36] Revert "x86: do not use cpufreq_quick_get() for /proc/cpuinfo "cpu MHz"" Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 31/36] x86: CPU: Fix up "cpu MHz" in /proc/cpuinfo Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 32/36] powerpc/kprobes: Dereference function pointers only if the address does not belong to kernel text Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 33/36] futex: Fix more put_pi_state() vs. exit_pi_state_list() races Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 34/36] perf/cgroup: Fix perf cgroup hierarchy support Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 35/36] x86/mcelog: Get rid of RCU remnants Greg Kroah-Hartman
2017-11-06 9:12 ` [PATCH 4.13 36/36] irqchip/irq-mvebu-gicp: Add missing spin_lock init Greg Kroah-Hartman
2017-11-06 21:18 ` [PATCH 4.13 00/36] 4.13.12-stable review Guenter Roeck
2017-11-06 23:27 ` Shuah Khan
2017-11-07 10:33 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106085047.274517448@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).