Received: by 10.223.185.116 with SMTP id b49csp1097956wrg;
        Fri, 23 Feb 2018 11:54:31 -0800 (PST)
X-Google-Smtp-Source: AH8x224bH37Qw6m8wEWc56Ee7ud1XMO/FeOYrNu1CZ2iKP9wqB90WwC4oMEPMk/7UpteXY92aUtn
X-Received: by 10.99.191.78 with SMTP id i14mr2314787pgo.9.1519415671842;
        Fri, 23 Feb 2018 11:54:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519415671; cv=none;
        d=google.com; s=arc-20160816;
        b=IJMLqLcn8QCEb0zscNcSa4Y6Kv5kt+5MtJ5wi8bcKiYYUvgO593aD8Pte1+pRF0Xc5
         +B//PWleukId6F4bNmu9yv3eNvKUwGXDuz+Hqg3nBntJJsazpJ8CGiGy6hjwJirqWznM
         WxNZME4c7EeZVF9AE77HnVr/eiAkSBSSyKJ+7eAF1e+W8c/zY2L0I7mtTizL1d2LMeMm
         JHGim85fHXwzmv6v09bGztQJZ5tFTndtE6HiaSc9LIsY1dVBOqf8BNB5SzJK32YPA5uJ
         tci5EfDJYp4O9nl4+444mY8Zi8UwbG60vKGwscUcueQJ9tZHmnmxBugsfaTe/ZP4lkLd
         9LhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=n8JSjUhS12Xn8kev2O5dxuuORfoEWKVWJ06BvYr1sFU=;
        b=s/lKgcrfTObkIMOUzp7g4FcF/OJGVAlVPNzTe/5yInsDe8L3AfIoxOHrz6eWQeNgOL
         DGEpUNTNNyqxY7YJcEkIlF15HCi7GR8sxKq4E02KKghr/xy7M+FuqAfMxvDSS3ezVISx
         7tFRjCq/3DnV4bmovZJljSwHMEa4o1WsTEHr+7PmPRgNFqzknydg0GCTFRjYuctQdn2M
         SyxcZVB935/bYEH/WjJ0BbvCZ1bFkbf9eoCbDe2rS8rc1Img349OaG91DWR/Yr842jKg
         L8AQFD/7Y76wJai40K5KjKUu/k1Q9mRyiVZwoPXJRsEhWlnCqXeLDth685uJucVmz8zp
         dowA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i11si1862217pgq.332.2018.02.23.11.54.17;
        Fri, 23 Feb 2018 11:54:31 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933782AbeBWSpW (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Fri, 23 Feb 2018 13:45:22 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:43268 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933089AbeBWSpT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 23 Feb 2018 13:45:19 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 4AB5F1244;
        Fri, 23 Feb 2018 18:45:18 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
        David Howells <dhowells@redhat.com>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.9 070/145] 509: fix printing uninitialized stack memory when OID is empty
Date:   Fri, 23 Feb 2018 19:26:16 +0100
Message-Id: <20180223170733.680008600@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180223170724.669759283@linuxfoundation.org>
References: <20180223170724.669759283@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers3@gmail.com>


[ Upstream commit 8dfd2f22d3bf3ab7714f7495ad5d897b8845e8c1 ]

Callers of sprint_oid() do not check its return value before printing
the result.  In the case where the OID is zero-length, -EBADMSG was
being returned without anything being written to the buffer, resulting
in uninitialized stack memory being printed.  Fix this by writing
"(bad)" to the buffer in the cases where -EBADMSG is returned.

Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 lib/oid_registry.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/lib/oid_registry.c
+++ b/lib/oid_registry.c
@@ -116,7 +116,7 @@ int sprint_oid(const void *data, size_t
 	int count;
 
 	if (v >= end)
-		return -EBADMSG;
+		goto bad;
 
 	n = *v++;
 	ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40);
@@ -134,7 +134,7 @@ int sprint_oid(const void *data, size_t
 			num = n & 0x7f;
 			do {
 				if (v >= end)
-					return -EBADMSG;
+					goto bad;
 				n = *v++;
 				num <<= 7;
 				num |= n & 0x7f;
@@ -148,6 +148,10 @@ int sprint_oid(const void *data, size_t
 	}
 
 	return ret;
+
+bad:
+	snprintf(buffer, bufsize, "(bad)");
+	return -EBADMSG;
 }
 EXPORT_SYMBOL_GPL(sprint_oid);