This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards.
Fix the X.509 time validation to use month number-1 when looking up the
number of days in that month. Also put the month number validation before
doing the lookup so as not to risk overrunning the array.
This can be tested by doing the following:
cat <<EOF | openssl x509 -outform DER | keyctl padd asymmetric "" @s
-----BEGIN CERTIFICATE-----
MIIDbjCCAlagAwIBAgIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNV
BAoMCGxvY2FsLWNhMRQwEgYDVQQDDAtzaWduaW5nIGtleTAeFw0xNTA5MDEyMTMw
MThaFw0xNjA4MzEyMTMwMThaMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQwEgYDVQQD
DAtzaWduaW5nIGtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrn
crcMfMeG67nagX4+m02Xk9rkmsMKI5XTUxbikROe7GSUVJ27sPVPZp4mgzoWlvhh
jfK8CC/qhEhwep8Pgg4EJZyWOjhZb7R97ckGvLIoUC6IO3FC2ZnR7WtmWDgo2Jcj
VlXwJdHhKU1VZwulh81O61N8IBKqz2r/kDhIWiicUCUkI/Do/RMRfKAoDBcSh86m
gOeIAGfq62vbiZhVsX5dOE8Oo2TK5weAvwUIOR7OuGBl5AqwFlPnXQolewiHzKry
THg9e44HfzG4Mi6wUvcJxVaQT1h5SrKD779Z5+8+wf1JLaooetcEUArvWyuxCU59
qxA4lsTjBwl4cmEki+cCAwEAAaOBmDCBlTAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
AwIHgDAdBgNVHQ4EFgQUyND/eKUis7ep/hXMJ8iZMdUhI+IwWQYDVR0jBFIwUIAU
yND/eKUis7ep/hXMJ8iZMdUhI+KhLaQrMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQw
EgYDVQQDDAtzaWduaW5nIGtleYIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAA4IB
AQAMqm1N1yD5pimUELLhT5eO2lRdGUfTozljRxc7e2QT3RLk2TtGhg65JFFN6eml
XS58AEPVcAsSLDlR6WpOpOLB2giM0+fV/eYFHHmh22yqTJl4YgkdUwyzPdCHNOZL
hmSKeY9xliHb6PNrNWWtZwhYYvRaO2DX4GXOMR0Oa2O4vaYu6/qGlZOZv3U6qZLY
wwHEJSrqeBDyMuwN+eANHpoSpiBzD77S4e+7hUDJnql4j6xzJ65+nWJ89fCrQypR
4sN5R3aGeIh3QAQUIKpHilwek0CtEaYERgc5m+jGyKSc1rezJW62hWRTaitOc+d5
G5hh+9YpnYcxQHEKnZ7rFNKJ
-----END CERTIFICATE-----
EOF
If the patch works, the above should emit a key ID from the new key being
accepted; without the patch, it will give a bad message error.
Reported-by: Mimi Zohar <[email protected]>
Signed-off-by: David Howells <[email protected]>
Tested-by: Mimi Zohar <[email protected]>
Acked-by: David Woodhouse <[email protected]>
---
crypto/asymmetric_keys/x509_cert_parser.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 3000ea3b6687..021d39c0ba75 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -531,7 +531,11 @@ int x509_decode_time(time64_t *_t, size_t hdrlen,
if (*p != 'Z')
goto unsupported_time;
- mon_len = month_lengths[mon];
+ if (year < 1970 ||
+ mon < 1 || mon > 12)
+ goto invalid_time;
+
+ mon_len = month_lengths[mon - 1];
if (mon == 2) {
if (year % 4 == 0) {
mon_len = 29;
@@ -543,14 +547,12 @@ int x509_decode_time(time64_t *_t, size_t hdrlen,
}
}
- if (year < 1970 ||
- mon < 1 || mon > 12 ||
- day < 1 || day > mon_len ||
+ if (day < 1 || day > mon_len ||
hour > 23 ||
min > 59 ||
sec > 59)
goto invalid_time;
-
+
*_t = mktime64(year, mon, day, hour, min, sec);
return 0;
Am 12.11.2015 um 12:38 schrieb David Howells:
> This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards.
>
> Fix the X.509 time validation to use month number-1 when looking up the
> number of days in that month. Also put the month number validation before
> doing the lookup so as not to risk overrunning the array.
I've just run into this with 4.3.1 (mon_len ended up with 0 because of
the wrong index). Which means currently build stable kernels with
signature verification might not load modules (depending on which value
the invalid index mon_len (12) ends up with.
Regards,
Alexander Holler
Am 10.12.2015 um 10:23 schrieb Alexander Holler:
> Am 12.11.2015 um 12:38 schrieb David Howells:
>> This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards.
>>
>> Fix the X.509 time validation to use month number-1 when looking up the
>> number of days in that month. Also put the month number validation
>> before
>> doing the lookup so as not to risk overrunning the array.
>
> I've just run into this with 4.3.1 (mon_len ended up with 0 because of
> the wrong index). Which means currently build stable kernels with
> signature verification might not load modules (depending on which value
> the invalid index mon_len (12) ends up with.
Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3
seems to be affected) which contains at least the patch mentioned in the
subject (58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).
Regards,
Alexander Holler
On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote:
> Am 10.12.2015 um 10:23 schrieb Alexander Holler:
> >Am 12.11.2015 um 12:38 schrieb David Howells:
> >>This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards.
> >>
> >>Fix the X.509 time validation to use month number-1 when looking up the
> >>number of days in that month. Also put the month number validation
> >>before
> >>doing the lookup so as not to risk overrunning the array.
> >
> >I've just run into this with 4.3.1 (mon_len ended up with 0 because of
> >the wrong index). Which means currently build stable kernels with
> >signature verification might not load modules (depending on which value
> >the invalid index mon_len (12) ends up with.
>
> Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3 seems
> to be affected) which contains at least the patch mentioned in the subject
> (58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).
58585c1fc301a36625db41ac7078c4dd0a218d84 doesn't reference anything in
Linus's tree, where did you get that git commit id?
David, any reason you didn't put a cc: stable in the commit for it to be
picked up in the stable releases?
thanks,
greg k-h
Am 10.12.2015 um 16:26 schrieb Greg Kroah-Hartman:
> On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote:
>> Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3 seems
>> to be affected) which contains at least the patch mentioned in the subject
>> (58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).
>
> 58585c1fc301a36625db41ac7078c4dd0a218d84 doesn't reference anything in
> Linus's tree, where did you get that git commit id?
Uh, hmm, maybe I've picked the wrong commit number when I've used git
gui blame to find the original commit. Might have been one from my own
trees which are based on mainline. Sorry, having had a second look, the
one I've cherry-picked from mainline was
cc25b994acfbc901429da682d0f73c190e960206
Regards,
Alexander Holler
Am 10.12.2015 um 16:34 schrieb Alexander Holler:
> Am 10.12.2015 um 16:26 schrieb Greg Kroah-Hartman:
>> On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote:
>
>>> Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3
>>> seems
>>> to be affected) which contains at least the patch mentioned in the
>>> subject
>>> (58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).
>>
>> 58585c1fc301a36625db41ac7078c4dd0a218d84 doesn't reference anything in
>> Linus's tree, where did you get that git commit id?
>
> Uh, hmm, maybe I've picked the wrong commit number when I've used git
> gui blame to find the original commit. Might have been one from my own
> trees which are based on mainline. Sorry, having had a second look, the
> one I've cherry-picked from mainline was
> cc25b994acfbc901429da682d0f73c190e960206
To give my motivation for that mail (and that "quickly"): it's highly
annoying to end up with a box which does not have network and, as in my
case, even without working input devices because modules weren't loaded.
And other people don't might be able to find the problem (and existing
patch) as quick as I did and might end up even more annoyed than I was
for a short period of time. ;)
> Regards,
>
> Alexander Holler
On Thu, Dec 10, 2015 at 07:00:46PM +0100, Alexander Holler wrote:
> Am 10.12.2015 um 16:34 schrieb Alexander Holler:
> >Am 10.12.2015 um 16:26 schrieb Greg Kroah-Hartman:
> >>On Thu, Dec 10, 2015 at 04:15:22PM +0100, Alexander Holler wrote:
> >
> >>>Just in case of, I would suggest to quickly push out 4.3.2 (only 4.3
> >>>seems
> >>>to be affected) which contains at least the patch mentioned in the
> >>>subject
> >>>(58585c1fc301a36625db41ac7078c4dd0a218d84 in mainline).
> >>
> >>58585c1fc301a36625db41ac7078c4dd0a218d84 doesn't reference anything in
> >>Linus's tree, where did you get that git commit id?
> >
> >Uh, hmm, maybe I've picked the wrong commit number when I've used git
> >gui blame to find the original commit. Might have been one from my own
> >trees which are based on mainline. Sorry, having had a second look, the
> >one I've cherry-picked from mainline was
> >cc25b994acfbc901429da682d0f73c190e960206
>
> To give my motivation for that mail (and that "quickly"): it's highly
> annoying to end up with a box which does not have network and, as in my
> case, even without working input devices because modules weren't loaded. And
> other people don't might be able to find the problem (and existing patch) as
> quick as I did and might end up even more annoyed than I was for a short
> period of time. ;)
We already have one other report of this problem hitting them. I've now
released 4.3.2-rc1, with a "quick" review period of 24 hours before I
release 4.3.2 with just this fix. If you could verify I didn't mess
anything up I would appreciate it.
thanks,
greg k-h
Am 10.12.2015 um 19:09 schrieb Greg Kroah-Hartman:
> We already have one other report of this problem hitting them. I've now
> released 4.3.2-rc1, with a "quick" review period of 24 hours before I
> release 4.3.2 with just this fix. If you could verify I didn't mess
> anything up I would appreciate it.
After applying those two patches from 4.3.2-rc1 you've posted instead of
the one I've cherry-picked, git diff ended up with no difference to the
source of the kernel I'm currently running. Reading those two patches
also looks good.
Thanks a lot.
Alexander Holler
Greg Kroah-Hartman <[email protected]> wrote:
> David, any reason you didn't put a cc: stable in the commit for it to be
> picked up in the stable releases?
I did cc it to stable.
David
On Fri, Dec 11, 2015 at 6:13 AM, David Howells <[email protected]> wrote:
> Greg Kroah-Hartman <[email protected]> wrote:
>
>> David, any reason you didn't put a cc: stable in the commit for it to be
>> picked up in the stable releases?
>
> I did cc it to stable.
You had the stable list in the CC field when you sent the patch, but
the CC: [email protected] tag is missing in the commit body.
Greg's scripts key off the later. Just cc'ing the list when you send
the email does nothing.
FWIW, I asked James if it should have been CC'd to stable when he sent
the pull request to Linus and I never got a reply.
josh