Received: by 10.223.164.202 with SMTP id h10csp1538402wrb; Wed, 8 Nov 2017 05:56:00 -0800 (PST) X-Google-Smtp-Source: ABhQp+QR6eSsKO8doe473+UYDHiJctT3ydYh2PFNy+FyaOa/j47mGWWGon3SR1qqtUiZlPRTeSXz X-Received: by 10.99.127.84 with SMTP id p20mr589782pgn.204.1510149360394; Wed, 08 Nov 2017 05:56:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510149360; cv=none; d=google.com; s=arc-20160816; b=QrX14idwopJ6aYGh+N0uEFjsOkqXJWU79pQNJjY4wWi0OBfM8kL+1OV4RBrQ9EWVPM vOUZ54dYk3OtDvY+Hp1ozKVBLYSOgxkHG0uT2EfWL/EWboGj/Vk0FgPkYYiHJlEubC8z Zm3EhLX/U6EVb1jevNIxBPsaSPkWFUEnNIDX3BQSIVCnJs11CkUnrtW1iScY+RBZ5lgz EL4eej7K9B04x7DwTBbZKhDP+cuUHIphf+eq4brRoAssfer8xqFLNobBCJj+rzLL39sr A2Hyrc9aPMNL8W6A8nsQFFe390QdFctzONVVd7Rc2cwTEyeCAjgpJMVQSFyo0+h5WWsk pujQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :subject:cc:to:from:date:arc-authentication-results; bh=3MWTTBxyP92q3ZHAAEmSAoYj6DqG7d2h1my+sYIV4eg=; b=BnCGQQXuxLjLxqWebGMse2eEXioBZyAH4mTfV7QkQ9wsunALPVtEjkvWc290loxA40 P1h8OzWGaer3VLqFqG2ZCIHBPhMl7Tddq7e6PijGfmFF9Ho6NgD/SNp7+JhHIGrW0hoQ YRM2gyApGVdlJ3vN2/93r5WLmlU8IxMysJ+1BOScJ7Wf4WJ6EnEknJByIrcElnPQStX0 3PCApheTd4AJGCAYp5k2qtkVKDJBIdqj+M6c2AFoTnj6Me4oDOc4CS3nxoZ5gYQkN6Qi QwC9EQyzTq90qh5YfCmQZKTVwZf89c4idHK4pwABsnmJRi3psDqlPysow+L3q4Ovo38w OD1A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c15si4293871pfm.128.2017.11.08.05.55.48; Wed, 08 Nov 2017 05:56:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752635AbdKHNzC (ORCPT + 82 others); Wed, 8 Nov 2017 08:55:02 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:33437 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752545AbdKHNzA (ORCPT ); Wed, 8 Nov 2017 08:55:00 -0500 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id vA8DswMc003993 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 8 Nov 2017 13:54:58 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id vA8Dswfc011973 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 8 Nov 2017 13:54:58 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id vA8DsvPr015044; Wed, 8 Nov 2017 13:54:57 GMT Received: from t440 (/101.174.80.35) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 08 Nov 2017 05:54:57 -0800 Date: Thu, 9 Nov 2017 00:54:53 +1100 (AEDT) From: James Morris X-X-Sender: james.l.morris@localhost To: Linus Torvalds cc: linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Subject: [GIT PULL] keys: fix NULL pointer dereference during ASN.1 parsing Message-ID: User-Agent: Alpine 2.20 (LFD 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Linus, Please pull this fix by Eric Biggers for the keys subsystem. --- The following changes since commit fbc3edf7d7731d7a22c483c679700589bab936a3: drivers/ide-cd: Handle missing driver data during status check gracefully (2017-11-07 09:12:04 -0800) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git fixes-v4.14-rc8 for you to fetch changes up to 624f5ab8720b3371367327a822c267699c1823b8: KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] (2017-11-09 00:38:21 +1100) ---------------------------------------------------------------- Eric Biggers (1): KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] lib/asn1_decoder.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- commit 624f5ab8720b3371367327a822c267699c1823b8 Author: Eric Biggers Date: Tue Nov 7 22:29:02 2017 +0000 KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] syzkaller reported a NULL pointer dereference in asn1_ber_decoder(). It can be reproduced by the following command, assuming CONFIG_PKCS7_TEST_KEY=y: keyctl add pkcs7_test desc '' @s The bug is that if the data buffer is empty, an integer underflow occurs in the following check: if (unlikely(dp >= datalen - 1)) goto data_overrun_error; This results in the NULL data pointer being dereferenced. Fix it by checking for 'datalen - dp < 2' instead. Also fix the similar check for 'dp >= datalen - n' later in the same function. That one possibly could result in a buffer overread. The NULL pointer dereference was reproducible using the "pkcs7_test" key type but not the "asymmetric" key type because the "asymmetric" key type checks for a 0-length payload before calling into the ASN.1 decoder but the "pkcs7_test" key type does not. The bug report was: BUG: unable to handle kernel NULL pointer dereference at (null) IP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 PGD 7b708067 P4D 7b708067 PUD 7b6ee067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: CPU: 0 PID: 522 Comm: syz-executor1 Not tainted 4.14.0-rc8 #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014 task: ffff9b6b3798c040 task.stack: ffff9b6b37970000 RIP: 0010:asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 RSP: 0018:ffff9b6b37973c78 EFLAGS: 00010216 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000021c RDX: ffffffff814a04ed RSI: ffffb1524066e000 RDI: ffffffff910759e0 RBP: ffff9b6b37973d60 R08: 0000000000000001 R09: ffff9b6b3caa4180 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f10ed1f2700(0000) GS:ffff9b6b3ea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000007b6f3000 CR4: 00000000000006f0 Call Trace: pkcs7_parse_message+0xee/0x240 crypto/asymmetric_keys/pkcs7_parser.c:139 verify_pkcs7_signature+0x33/0x180 certs/system_keyring.c:216 pkcs7_preparse+0x41/0x70 crypto/asymmetric_keys/pkcs7_key_type.c:63 key_create_or_update+0x180/0x530 security/keys/key.c:855 SYSC_add_key security/keys/keyctl.c:122 [inline] SyS_add_key+0xbf/0x250 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x4585c9 RSP: 002b:00007f10ed1f1bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 00007f10ed1f2700 RCX: 00000000004585c9 RDX: 0000000020000000 RSI: 0000000020008ffb RDI: 0000000020008000 RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff1b2260ae R13: 00007fff1b2260af R14: 00007f10ed1f2700 R15: 0000000000000000 Code: dd ca ff 48 8b 45 88 48 83 e8 01 4c 39 f0 0f 86 a8 07 00 00 e8 53 dd ca ff 49 8d 46 01 48 89 85 58 ff ff ff 48 8b 85 60 ff ff ff <42> 0f b6 0c 30 89 c8 88 8d 75 ff ff ff 83 e0 1f 89 8d 28 ff ff RIP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 RSP: ffff9b6b37973c78 CR2: 0000000000000000 Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder") Reported-by: syzbot Cc: # v3.7+ Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c index fef5d2e..1ef0cec 100644 --- a/lib/asn1_decoder.c +++ b/lib/asn1_decoder.c @@ -228,7 +228,7 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder, hdr = 2; /* Extract a tag from the data */ - if (unlikely(dp >= datalen - 1)) + if (unlikely(datalen - dp < 2)) goto data_overrun_error; tag = data[dp++]; if (unlikely((tag & 0x1f) == ASN1_LONG_TAG)) @@ -274,7 +274,7 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder, int n = len - 0x80; if (unlikely(n > 2)) goto length_too_long; - if (unlikely(dp >= datalen - n)) + if (unlikely(n > datalen - dp)) goto data_overrun_error; hdr += n; for (len = 0; n > 0; n--) { From 1583874045355750245@xxx Sun Nov 12 15:19:57 +0000 2017 X-GM-THRID: 1583874045355750245 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread