From de9a44e36f1d9f791f49491c348445527b00c4ff Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 14 May 2016 05:16:11 +0200 Subject: [PATCH] KEYS: Fix ASN.1 indefinite length object parsing (CVE-2016-0758) --- debian/changelog | 3 + ...N.1-indefinite-length-object-parsing.patch | 91 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 95 insertions(+) create mode 100644 debian/patches/bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch diff --git a/debian/changelog b/debian/changelog index 1689d45b0..de47552ea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -92,6 +92,9 @@ linux (4.5.4-1) UNRELEASED; urgency=medium * netfilter: Enable NF_DUP_NETDEV / NFT_DUP_NETDEV / NFT_FWD_NETDEV as module, as recommended by Arturo Borrero Gonzalez. (Closes: #824162) + [ Salvatore Bonaccorso ] + * KEYS: Fix ASN.1 indefinite length object parsing (CVE-2016-0758) + -- Aurelien Jarno Tue, 10 May 2016 23:58:07 +0200 linux (4.5.3-2) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch b/debian/patches/bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch new file mode 100644 index 000000000..37b83dd23 --- /dev/null +++ b/debian/patches/bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch @@ -0,0 +1,91 @@ +From: David Howells +Date: Tue, 23 Feb 2016 11:03:12 +0000 +Subject: KEYS: Fix ASN.1 indefinite length object parsing +Origin: https://git.kernel.org/linus/23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa + +This fixes CVE-2016-0758. + +In the ASN.1 decoder, when the length field of an ASN.1 value is extracted, +it isn't validated against the remaining amount of data before being added +to the cursor. With a sufficiently large size indicated, the check: + + datalen - dp < 2 + +may then fail due to integer overflow. + +Fix this by checking the length indicated against the amount of remaining +data in both places a definite length is determined. + +Whilst we're at it, make the following changes: + + (1) Check the maximum size of extended length does not exceed the capacity + of the variable it's being stored in (len) rather than the type that + variable is assumed to be (size_t). + + (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the + integer 0. + + (3) To reduce confusion, move the initialisation of len outside of: + + for (len = 0; n > 0; n--) { + + since it doesn't have anything to do with the loop counter n. + +Signed-off-by: David Howells +Reviewed-by: Mimi Zohar +Acked-by: David Woodhouse +Acked-by: Peter Jones +--- + lib/asn1_decoder.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c +index 2b3f46c..5545229 100644 +--- a/lib/asn1_decoder.c ++++ b/lib/asn1_decoder.c +@@ -74,7 +74,7 @@ next_tag: + + /* Extract a tag from the data */ + tag = data[dp++]; +- if (tag == 0) { ++ if (tag == ASN1_EOC) { + /* It appears to be an EOC. */ + if (data[dp++] != 0) + goto invalid_eoc; +@@ -96,10 +96,8 @@ next_tag: + + /* Extract the length */ + len = data[dp++]; +- if (len <= 0x7f) { +- dp += len; +- goto next_tag; +- } ++ if (len <= 0x7f) ++ goto check_length; + + if (unlikely(len == ASN1_INDEFINITE_LENGTH)) { + /* Indefinite length */ +@@ -110,14 +108,18 @@ next_tag: + } + + n = len - 0x80; +- if (unlikely(n > sizeof(size_t) - 1)) ++ if (unlikely(n > sizeof(len) - 1)) + goto length_too_long; + if (unlikely(n > datalen - dp)) + goto data_overrun_error; +- for (len = 0; n > 0; n--) { ++ len = 0; ++ for (; n > 0; n--) { + len <<= 8; + len |= data[dp++]; + } ++check_length: ++ if (len > datalen - dp) ++ goto data_overrun_error; + dp += len; + goto next_tag; + +-- +2.8.1 + diff --git a/debian/patches/series b/debian/patches/series index 8f0bc96fa..65d8a3bad 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -135,6 +135,7 @@ bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch bugfix/all/bpf-fix-refcnt-overflow.patch bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch +bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch # ABI maintenance debian/ib-fix-abi-change-in-4.5.3.patch