Received: by 10.223.185.116 with SMTP id b49csp6381484wrg; Wed, 28 Feb 2018 08:29:24 -0800 (PST) X-Google-Smtp-Source: AH8x227mWdXdVibd9Ln7HhYGwh7xFOpDDZ48nrM/kvg5vTfIQgAE68ehAAyq14Z6vhe3hvmmouzu X-Received: by 10.99.126.84 with SMTP id o20mr14526504pgn.188.1519835364279; Wed, 28 Feb 2018 08:29:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519835364; cv=none; d=google.com; s=arc-20160816; b=fBFSUe2QBrNdJe0pQhZHEVsy2BZMUWt8UeBTKgoCbbazf0AC52POL01xtMXJ79gQP8 xmsXdQcVZ7YHMPjqwUrKQwuYoRZIn3y4Z1x9R2Quy2uuEdHoCzk7UWt4RkOG6bQsmgHh 6ZFQKufnUVByeveaQjBaTIot4ERU9YxmJGLkjgDMo2485w42m/VIO4OP/umT3hJny3YA +tv6tEBGR4FBPkPBUJFcn6/h6ipIJ66hNRG0Vwvf9t0xoZQRuifatjNdHi1G36iArwlN 6bslbclPPy+HnMEbL9w/x5qowAcoqDx4m5/IO9l3gjJmIQsyxmAcWvge0eBS4OMGT8ic 7Row== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=KN1jzBD0PTKxlE9TtcQTaeKAKNf0iC+pngeJjdpn7bU=; b=gZRenqM4+J24FqsOIIAQP5q0Wj1ijP5CjC6YoqJfqPZQF05SjfxJiPnUZnpk55Depa ayGkCo0pbT7IIAZqnRePdp0s3JP3X1+pP2SeooMdkJzkHdkA2gv4ug2+w1wEzer59cU9 SuZfo1/JZm7jj/6NFLncd4/1x0DQvT6dnqtiZp1DIZl8I2LTfRGSDJpBByUZ7O8HAGhY ViWHqHfOhmZdSfnhhBc4LU835kp/MglQooO5biFiim2ru1WYrLeSWiTOwRQ8c3ENSGTI vbSU6d0zZEXLUCNUWQn5A63TGDSyiKDmI3FFDGwH9qBfqA375LgEfK4JjpVRsUYMckL/ jtqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i6si1203831pgq.471.2018.02.28.08.29.09; Wed, 28 Feb 2018 08:29:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934898AbeB1QP4 (ORCPT + 99 others); Wed, 28 Feb 2018 11:15:56 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35200 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933835AbeB1QPw (ORCPT ); Wed, 28 Feb 2018 11:15:52 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yg-0006Xd-Gh; Wed, 28 Feb 2018 15:22:18 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yf-0008T5-6f; Wed, 28 Feb 2018 15:22:17 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Linus Torvalds" , "David Howells" , "Rusty Russell" , "Lee, Chun-Yi" , "Pawel Wieczorkiewicz" , "Takashi Iwai" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 073/254] lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit afdb05e9d61905220f09268535235288e6ba3a16 upstream. The sprint_oid() utility function doesn't properly check the buffer size that it causes that the warning in vsnprintf() be triggered. For example on v4.1 kernel: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 2357 at lib/vsprintf.c:1867 vsnprintf+0x5a7/0x5c0() ... We can trigger this issue by injecting maliciously crafted x509 cert in DER format. Just using hex editor to change the length of OID to over the length of the SEQUENCE container. For example: 0:d=0 hl=4 l= 980 cons: SEQUENCE 4:d=1 hl=4 l= 700 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 9 prim: INTEGER :9B47FAF791E7D1E3 24:d=2 hl=2 l= 13 cons: SEQUENCE 26:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 37:d=3 hl=2 l= 0 prim: NULL 39:d=2 hl=2 l= 121 cons: SEQUENCE 41:d=3 hl=2 l= 22 cons: SET 43:d=4 hl=2 l= 20 cons: SEQUENCE <=== the SEQ length is 20 45:d=5 hl=2 l= 3 prim: OBJECT :organizationName <=== the original length is 3, change the length of OID to over the length of SEQUENCE Pawel Wieczorkiewicz reported this problem and Takashi Iwai provided patch to fix it by checking the bufsize in sprint_oid(). Link: http://lkml.kernel.org/r/20170903021646.2080-1-jlee@suse.com Signed-off-by: Takashi Iwai Signed-off-by: "Lee, Chun-Yi" Reported-by: Pawel Wieczorkiewicz Cc: David Howells Cc: Rusty Russell Cc: Pawel Wieczorkiewicz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings --- lib/oid_registry.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/lib/oid_registry.c +++ b/lib/oid_registry.c @@ -142,9 +142,9 @@ int sprint_oid(const void *data, size_t } ret += count = snprintf(buffer, bufsize, ".%lu", num); buffer += count; - bufsize -= count; - if (bufsize == 0) + if (bufsize <= count) return -ENOBUFS; + bufsize -= count; } return ret;