From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
David Howells <dhowells@redhat.com>,
James Morris <james.l.morris@oracle.com>
Subject: [PATCH 4.4 05/40] KEYS: fix out-of-bounds read during ASN.1 parsing
Date: Mon, 6 Nov 2017 10:44:40 +0100 [thread overview]
Message-ID: <20171106094501.560928471@linuxfoundation.org> (raw)
In-Reply-To: <20171106094501.346859822@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 2eb9eabf1e868fda15808954fb29b0f105ed65f1 upstream.
syzkaller with KASAN reported an out-of-bounds read in
asn1_ber_decoder(). It can be reproduced by the following command,
assuming CONFIG_X509_CERTIFICATE_PARSER=y and CONFIG_KASAN=y:
keyctl add asymmetric desc $'\x30\x30' @s
The bug is that the length of an ASN.1 data value isn't validated in the
case where it is encoded using the short form, causing the decoder to
read past the end of the input buffer. Fix it by validating the length.
The bug report was:
BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233
Read of size 1 at addr ffff88003cccfa02 by task syz-executor0/6818
CPU: 1 PID: 6818 Comm: syz-executor0 Not tainted 4.14.0-rc7-00008-g5f479447d983 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0xb3/0x10b lib/dump_stack.c:52
print_address_description+0x79/0x2a0 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x236/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233
x509_cert_parse+0x1db/0x650 crypto/asymmetric_keys/x509_cert_parser.c:89
x509_key_preparse+0x64/0x7a0 crypto/asymmetric_keys/x509_public_key.c:174
asymmetric_key_preparse+0xcb/0x1a0 crypto/asymmetric_keys/asymmetric_type.c:388
key_create_or_update+0x347/0xb20 security/keys/key.c:855
SYSC_add_key security/keys/keyctl.c:122 [inline]
SyS_add_key+0x1cd/0x340 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x447c89
RSP: 002b:00007fca7a5d3bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 00007fca7a5d46cc RCX: 0000000000447c89
RDX: 0000000020006f4a RSI: 0000000020006000 RDI: 0000000020001ff5
RBP: 0000000000000046 R08: fffffffffffffffd R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fca7a5d49c0 R15: 00007fca7a5d4700
Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/asn1_decoder.c | 3 +++
1 file changed, 3 insertions(+)
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -283,6 +283,9 @@ next_op:
if (unlikely(len > datalen - dp))
goto data_overrun_error;
}
+ } else {
+ if (unlikely(len > datalen - dp))
+ goto data_overrun_error;
}
if (flags & FLAG_CONS) {
next prev parent reply other threads:[~2017-11-06 9:49 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-06 9:44 [PATCH 4.4 00/40] 4.4.97-stable review Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 01/40] ALSA: timer: Add missing mutex lock for compat ioctls Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 02/40] ALSA: seq: Fix nested rwsem annotation for lockdep splat Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 03/40] cifs: check MaxPathNameComponentLength != 0 before using it Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 04/40] KEYS: return full count in keyring_read() if buffer is too small Greg Kroah-Hartman
2017-11-06 9:44 ` Greg Kroah-Hartman [this message]
2017-11-06 9:44 ` [PATCH 4.4 06/40] ASoC: adau17x1: Workaround for noise bug in ADC Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 07/40] arm64: ensure __dump_instr() checks addr_limit Greg Kroah-Hartman
2017-11-13 19:05 ` Ben Hutchings
2017-11-14 13:52 ` Catalin Marinas
2017-11-14 16:18 ` Mark Rutland
2017-11-19 10:29 ` Greg Kroah-Hartman
2017-11-20 11:26 ` Mark Rutland
2017-11-21 16:55 ` Greg Kroah-Hartman
2017-11-15 13:28 ` Ben Hutchings
2017-11-15 13:36 ` Ben Hutchings
2017-11-06 9:44 ` [PATCH 4.4 08/40] ARM: dts: mvebu: pl310-cache disable double-linefill Greg Kroah-Hartman
2017-11-07 23:06 ` Sebastian Gottschall
2017-11-08 8:44 ` Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 09/40] ARM: 8715/1: add a private asm/unaligned.h Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 10/40] ocfs2: fstrim: Fix start offset of first cluster group during fstrim Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 11/40] perf tools: Fix build failure on perl script context Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 12/40] drm/msm: Fix potential buffer overflow issue Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 13/40] drm/msm: fix an integer overflow test Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 14/40] tracing/samples: Fix creation and deletion of simple_thread_fn creation Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 15/40] Fix tracing sample code warning Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 16/40] PM / wakeirq: report a wakeup_event on dedicated wekup irq Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 17/40] mmc: s3cmci: include linux/interrupt.h for tasklet_struct Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 18/40] ARM: pxa: Dont rely on public mmc header to include leds.h Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 19/40] mfd: ab8500-sysctrl: Handle probe deferral Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 20/40] mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 21/40] staging: rtl8712u: Fix endian settings for structs describing network packets Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 22/40] ext4: fix stripe-unaligned allocations Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 23/40] ext4: do not use stripe_width if it is not set Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.4 24/40] i2c: riic: correctly finish transfers Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 26/40] perf tools: Only increase index if perf_evsel__new_idx() succeeds Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 27/40] cx231xx: Fix I2C on Internal Master 3 Bus Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 28/40] drm/msm/dsi: Set msm_dsi->encoders before initializing bridge Greg Kroah-Hartman
2017-11-07 4:32 ` Archit Taneja
2017-11-07 10:35 ` Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 29/40] xen/manage: correct return value check on xenbus_scanf() Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 30/40] scsi: aacraid: Process Error for response I/O Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 31/40] platform/x86: intel_mid_thermal: Fix module autoload Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 32/40] staging: lustre: llite: dont invoke direct_IO for the EOF case Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 33/40] staging: lustre: hsm: stack overrun in hai_dump_data_field Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 34/40] staging: lustre: ptlrpc: skip lock if export failed Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 35/40] exynos4-is: fimc-is: Unmap region obtained by of_iomap() Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 36/40] mei: return error on notification request to a disconnected client Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 37/40] s390/dasd: check for device error pointer within state change interrupts Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 38/40] bt8xx: fix memory leak Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 39/40] xen: dont print error message in case of missing Xenstore entry Greg Kroah-Hartman
2017-11-06 9:45 ` [PATCH 4.4 40/40] staging: r8712u: Fix Sparse warning in rtl871x_xmit.c Greg Kroah-Hartman
2017-11-06 21:17 ` [PATCH 4.4 00/40] 4.4.97-stable review Guenter Roeck
2017-11-06 23:26 ` Shuah Khan
2017-11-07 22:55 ` Tom Gall
2017-11-08 9:22 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106094501.560928471@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).