Received: by 10.223.185.116 with SMTP id b49csp6358801wrg; Wed, 28 Feb 2018 08:08:00 -0800 (PST) X-Google-Smtp-Source: AH8x226yaxgV7cmYehilxfoHJc8ClksykHT9taRD9Bq7khMC6QYs7DGCV3wjN42G4PtJObxuC+nV X-Received: by 2002:a17:902:5a5:: with SMTP id f34-v6mr18817189plf.134.1519834080384; Wed, 28 Feb 2018 08:08:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519834080; cv=none; d=google.com; s=arc-20160816; b=wg19r3ou9eTzwrJBBJB7jW1y+SuGDInxdwfMXFe1S0T13F0dLwTRPweMuydb0in1Sp 4ohI1ypzhgO9jXERH8vbqrDVNwdPVzdJhPE4pt/GcSL095FlMJlhuI1G4/1GstnRzB+Z STGyHdS4yisLN6ElZJ7/YMlm+CEsxM3wnfxLD5EuNJTOjpmKw6KJnIABpAnwsNvZg3Cu NK4d+bIJFJBS6hqbrhU4MJRux1t2BhKaBAtXc69lWsL3Pk3PkIjH6roX7rDvweKs6m5L TKQZaYP5GNB2ZvNCYGUOSZSKX+sdjuJnNKZdaVkmKC/awJwGv+8UJLROX6urbKCb5qqq z+Vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=AHs3I7CE7Qm6TrTkFaM0p1l3Wk8n/h0NVP22lMBVrrw=; b=BzdCVNpidGqYNfTQDVsTbanwnREhKjPQG711xQDVYdK+lj85X3N6IoA52h+W8yuH6Y 7qubu5oawMsnQ6Au26obo3G+mf1uHEU0eVFUKzsoDIkq7RBdUqYEKhdGZvahjRf4GApU ryZILBQQxEA97xCJ8PKdEiAbLiLHIOPqpq6k+2a2nZKGRNM8mxWHa4Zl7Tm7yf1+9n4l P4fPfeGm1lyEzheJ2a2VZELbQnssY4iE5rc7UGw1a4t2FvgXgjgpOs1akd5IrYG2LvEG pWK+iPPu/uXTRsPrAlsEAJOxIc3YEcQqxyPtKwMgE37gEs4rBntXi0ys4MD/z0026nUx rfQg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si1427011pli.679.2018.02.28.08.07.45; Wed, 28 Feb 2018 08:08:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934515AbeB1QF3 (ORCPT + 99 others); Wed, 28 Feb 2018 11:05:29 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34887 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934501AbeB1QF0 (ORCPT ); Wed, 28 Feb 2018 11:05:26 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yg-0006XW-Ce; Wed, 28 Feb 2018 15:22:18 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yf-0008T0-5t; Wed, 28 Feb 2018 15:22:17 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Eric Biggers" , "David Howells" , "James Morris" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 072/254] ASN.1: check for error from ASN1_OP_END__ACT actions In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream. asn1_ber_decoder() was ignoring errors from actions associated with the opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT, ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT. In practice, this meant the pkcs7_note_signed_info() action (since that was the only user of those opcodes). Fix it by checking for the error, just like the decoder does for actions associated with the other opcodes. This bug allowed users to leak slab memory by repeatedly trying to add a specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY). In theory, this bug could also be used to bypass module signature verification, by providing a PKCS#7 message that is misparsed such that a signature's ->authattrs do not contain its ->msgdigest. But it doesn't seem practical in normal cases, due to restrictions on the format of the ->authattrs. Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder") Signed-off-by: Eric Biggers Signed-off-by: David Howells Reviewed-by: James Morris Signed-off-by: Ben Hutchings --- lib/asn1_decoder.c | 2 ++ 1 file changed, 2 insertions(+) --- a/lib/asn1_decoder.c +++ b/lib/asn1_decoder.c @@ -427,6 +427,8 @@ next_op: else act = machine[pc + 1]; ret = actions[act](context, hdr, 0, data + tdp, len); + if (ret < 0) + return ret; } pc += asn1_op_lengths[op]; goto next_op;