Received: by 10.223.185.116 with SMTP id b49csp6375897wrg; Wed, 28 Feb 2018 08:23:42 -0800 (PST) X-Google-Smtp-Source: AH8x225dieYSXeQlizR6cgrkXMqZvnKrH/jtpLAT0+71mvWa7Mj4QiizSvyUXzXnCyo9Gsa6omN7 X-Received: by 2002:a17:902:3a1:: with SMTP id d30-v6mr18241223pld.409.1519835021877; Wed, 28 Feb 2018 08:23:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519835021; cv=none; d=google.com; s=arc-20160816; b=KU5vdVGEBMqB+bnaBR/qkZAVQ3QQO74TOOeP2HjlGBllOHpnpfU7Z/kIPcJegwL1DN Ed3muX+ZeOVH2uYban4pHzMwJLC8L3j7T7PsN3jDZEf6NByf9cfiNHIkLDDUhi0By2Ha KpopKYkTS6MJwFfcl3+P6LdGiZ0WXykZFEESDZnV61uXs/pkcvGWD5Zct2ebm0+2xsOq QOOeZC8BB2DhIvpF1av9yNdTqo3G6kgBPZkqpaxUhunMhGfxVi4jCElC3hEp32h+GWj3 5PfFYwBVb6aACSrfxs+vk8cpW8qPA9bWGKdZwl2u/fa+VFDL3peYtJHWcwL8xCuVJtXX gmlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=sfrpRTgefygs2+rLTsCUGdq57ZVimiV+WbGU4W3szJ0=; b=SwgzSaj5M3Jnzt19uvy55kNEyNRqOLir7n1JS1pUGinlGrSK4hzi4dVJ9RdQI1Wv9J CRMseMDz/n8B0A8u9U4mCMwEbxc2E0ungHMgwoxiy+ggBIDcR0ZcqIWFPnCFFpHBZAUW AefVc8IRRSNuZOizKD0DGxL//oky4/ZpUW+6OmvvEiryUC9JC+PiIej2PDRDd7R4K8mL TVF5vC0TEt0VqJWG8xZifaPFXnmkheqVodo1AuE2UwD1Gz/EcGx83fUkpGO1DTN2z6Mn VvamwxUDrKyIgJNOQ+k8odons/YRFHXBtMw/vBXyPeN4occG7CWUrRsWctuKIzEQG2cM WE0A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a13si1195606pgt.344.2018.02.28.08.23.26; Wed, 28 Feb 2018 08:23:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935228AbeB1QUw (ORCPT + 99 others); Wed, 28 Feb 2018 11:20:52 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35391 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935207AbeB1QUt (ORCPT ); Wed, 28 Feb 2018 11:20:49 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yg-0006Xe-G8; Wed, 28 Feb 2018 15:22:18 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yf-0008Sv-55; Wed, 28 Feb 2018 15:22:17 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Eric Biggers" , "Alexander Potapenko" , "David Howells" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 071/254] ASN.1: fix out-of-bounds read when parsing indefinite length item In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit e0058f3a874ebb48b25be7ff79bc3b4e59929f90 upstream. In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed to the action functions before their lengths had been computed, using the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH). This resulted in reading data past the end of the input buffer, when given a specially crafted message. Fix it by rearranging the code so that the indefinite length is resolved before the action is called. This bug was originally found by fuzzing the X.509 parser in userspace using libFuzzer from the LLVM project. KASAN report (cleaned up slightly): BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline] BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366 Read of size 128 at addr ffff880035dd9eaf by task keyctl/195 CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xd1/0x175 lib/dump_stack.c:53 print_address_description+0x78/0x260 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x23f/0x350 mm/kasan/report.c:409 memcpy+0x1f/0x50 mm/kasan/kasan.c:302 memcpy ./include/linux/string.h:341 [inline] x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366 asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447 x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89 x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174 asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388 key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850 SYSC_add_key security/keys/keyctl.c:122 [inline] SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0x96 Allocated by task 195: __do_kmalloc_node mm/slab.c:3675 [inline] __kmalloc_node+0x47/0x60 mm/slab.c:3682 kvmalloc ./include/linux/mm.h:540 [inline] SYSC_add_key security/keys/keyctl.c:104 [inline] SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0x96 Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder") Reported-by: Alexander Potapenko Signed-off-by: Eric Biggers Signed-off-by: David Howells [bwh: Backported to 3.16: drop ASN1_OP_{COND_,}MATCH_ANY_{ACT_,}OR_SKIP cases] Signed-off-by: Ben Hutchings --- lib/asn1_decoder.c | 47 ++++++++++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 21 deletions(-) --- a/lib/asn1_decoder.c +++ b/lib/asn1_decoder.c @@ -305,38 +305,43 @@ next_op: /* Decide how to handle the operation */ switch (op) { - case ASN1_OP_MATCH_ANY_ACT: - case ASN1_OP_COND_MATCH_ANY_ACT: - ret = actions[machine[pc + 1]](context, hdr, tag, data + dp, len); - if (ret < 0) - return ret; - goto skip_data; - - case ASN1_OP_MATCH_ACT: - case ASN1_OP_MATCH_ACT_OR_SKIP: - case ASN1_OP_COND_MATCH_ACT_OR_SKIP: - ret = actions[machine[pc + 2]](context, hdr, tag, data + dp, len); - if (ret < 0) - return ret; - goto skip_data; - case ASN1_OP_MATCH: case ASN1_OP_MATCH_OR_SKIP: + case ASN1_OP_MATCH_ACT: + case ASN1_OP_MATCH_ACT_OR_SKIP: case ASN1_OP_MATCH_ANY: + case ASN1_OP_MATCH_ANY_ACT: case ASN1_OP_COND_MATCH_OR_SKIP: + case ASN1_OP_COND_MATCH_ACT_OR_SKIP: case ASN1_OP_COND_MATCH_ANY: - skip_data: + case ASN1_OP_COND_MATCH_ANY_ACT: + if (!(flags & FLAG_CONS)) { if (flags & FLAG_INDEFINITE_LENGTH) { + size_t tmp = dp; + ret = asn1_find_indefinite_length( - data, datalen, &dp, &len, &errmsg); + data, datalen, &tmp, &len, &errmsg); if (ret < 0) goto error; - } else { - dp += len; } pr_debug("- LEAF: %zu\n", len); } + + if (op & ASN1_OP_MATCH__ACT) { + unsigned char act; + + if (op & ASN1_OP_MATCH__ANY) + act = machine[pc + 1]; + else + act = machine[pc + 2]; + ret = actions[act](context, hdr, tag, data + dp, len); + if (ret < 0) + return ret; + } + + if (!(flags & FLAG_CONS)) + dp += len; pc += asn1_op_lengths[op]; goto next_op;