[linux] 01/01: KEYS: Fix ASN.1 indefinite length object parsing (CVE-2016-0758)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat May 14 03:22:36 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit de9a44e36f1d9f791f49491c348445527b00c4ff
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sat May 14 05:16:11 2016 +0200

    KEYS: Fix ASN.1 indefinite length object parsing (CVE-2016-0758)
---
 debian/changelog                                   |  3 +
 ...ix-ASN.1-indefinite-length-object-parsing.patch | 91 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 95 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 1689d45..de47552 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -92,6 +92,9 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
   * netfilter: Enable NF_DUP_NETDEV / NFT_DUP_NETDEV / NFT_FWD_NETDEV
     as module, as recommended by Arturo Borrero Gonzalez. (Closes: #824162)
 
+  [ Salvatore Bonaccorso ]
+  * KEYS: Fix ASN.1 indefinite length object parsing (CVE-2016-0758)
+
  -- Aurelien Jarno <aurel32 at debian.org>  Tue, 10 May 2016 23:58:07 +0200
 
 linux (4.5.3-2) unstable; urgency=medium
diff --git a/debian/patches/bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch b/debian/patches/bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
new file mode 100644
index 0000000..37b83dd
--- /dev/null
+++ b/debian/patches/bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
@@ -0,0 +1,91 @@
+From: David Howells <dhowells at redhat.com>
+Date: Tue, 23 Feb 2016 11:03:12 +0000
+Subject: KEYS: Fix ASN.1 indefinite length object parsing
+Origin: https://git.kernel.org/linus/23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa
+
+This fixes CVE-2016-0758.
+
+In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
+it isn't validated against the remaining amount of data before being added
+to the cursor.  With a sufficiently large size indicated, the check:
+
+	datalen - dp < 2
+
+may then fail due to integer overflow.
+
+Fix this by checking the length indicated against the amount of remaining
+data in both places a definite length is determined.
+
+Whilst we're at it, make the following changes:
+
+ (1) Check the maximum size of extended length does not exceed the capacity
+     of the variable it's being stored in (len) rather than the type that
+     variable is assumed to be (size_t).
+
+ (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
+     integer 0.
+
+ (3) To reduce confusion, move the initialisation of len outside of:
+
+	for (len = 0; n > 0; n--) {
+
+     since it doesn't have anything to do with the loop counter n.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Reviewed-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
+Acked-by: David Woodhouse <David.Woodhouse at intel.com>
+Acked-by: Peter Jones <pjones at redhat.com>
+---
+ lib/asn1_decoder.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
+index 2b3f46c..5545229 100644
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -74,7 +74,7 @@ next_tag:
+ 
+ 	/* Extract a tag from the data */
+ 	tag = data[dp++];
+-	if (tag == 0) {
++	if (tag == ASN1_EOC) {
+ 		/* It appears to be an EOC. */
+ 		if (data[dp++] != 0)
+ 			goto invalid_eoc;
+@@ -96,10 +96,8 @@ next_tag:
+ 
+ 	/* Extract the length */
+ 	len = data[dp++];
+-	if (len <= 0x7f) {
+-		dp += len;
+-		goto next_tag;
+-	}
++	if (len <= 0x7f)
++		goto check_length;
+ 
+ 	if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
+ 		/* Indefinite length */
+@@ -110,14 +108,18 @@ next_tag:
+ 	}
+ 
+ 	n = len - 0x80;
+-	if (unlikely(n > sizeof(size_t) - 1))
++	if (unlikely(n > sizeof(len) - 1))
+ 		goto length_too_long;
+ 	if (unlikely(n > datalen - dp))
+ 		goto data_overrun_error;
+-	for (len = 0; n > 0; n--) {
++	len = 0;
++	for (; n > 0; n--) {
+ 		len <<= 8;
+ 		len |= data[dp++];
+ 	}
++check_length:
++	if (len > datalen - dp)
++		goto data_overrun_error;
+ 	dp += len;
+ 	goto next_tag;
+ 
+-- 
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 8f0bc96..65d8a3b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -135,6 +135,7 @@ bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch
 bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
 bugfix/all/bpf-fix-refcnt-overflow.patch
 bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
+bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
 
 # ABI maintenance
 debian/ib-fix-abi-change-in-4.5.3.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list