From patchwork Tue May  9 14:42:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 98919
Delivered-To: patch@linaro.org
Received: by 10.140.96.100 with SMTP id j91csp1857391qge;
 Tue, 9 May 2017 07:43:09 -0700 (PDT)
X-Received: by 10.84.218.204 with SMTP id g12mr731334plm.32.1494340989785;
 Tue, 09 May 2017 07:43:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1494340989; cv=none;
 d=google.com; s=arc-20160816;
 b=VMhA6m4ytroLWYgiRfgWw1zU2qRjtZ61gqViwvumg7ndVjwsDOatfXdKjAhLq5Pk7O
 enPQjaCPPnijWk3tpkmSpj1nggvMw3gh3ow545zsvyNVZHSxJ9VXj3xAsdOIJyiwGcmw
 iQFfndotginZS2KqBXM/d63jW69XRPAVD/EkSG5gOzT+DZyveBeqGRbHBTQZ18u8hox8
 hS4/IdQxPzgY8cuGXFl7xoKWFn9bhgcPt089VBFpeWC26fqdTWqui+n1dYw9FoBg1ijs
 8dQOisA+WSnQGBA7gwi847BDi27LFJ1PMLI9VDpt6K5n7stUkjv8yPa02nkY9i8hcmBJ
 2MTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature:arc-authentication-results;
 bh=k6apPWwn6C2ik9sC9TMQBFeLJX704EIElACxw1xmBuw=;
 b=jGn5AZhdLGlbSXUL9OWvLqy3gEQu+FpJTsAJxdlJ6jf5V7HD/lE30wSNyfOlSklOCj
 PmhnDGhFsuN+pc9cpdfq3UTMyz4VhXoansAQNSkQ521X7OZwnVJMT/fjS6f49wpTgh+Y
 pV6r31PuKstvucKiXh1xk95SiIamXHOHPiDT+yO2bWbmG1mqkUufbs7QfMGwgrCKlC6R
 fWiUCtiUj3kc+gYohZ+nftv5jvuoeYNOg8PYPsJfMuZfJDXRZZW+8r1CBB643AxWTDiu
 rpgBimEzIm7vjjnKNq88yyQOoo8EQjdRv16wDugNQTJc13TwzUWjJGXxOot1vO4pnD73
 BWPQ==
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.09;
 Tue, 09 May 2017 07:43:09 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1753862AbdEIOnJ (ORCPT <rfc822;sumit.semwal@linaro.org>
 + 6 others); Tue, 9 May 2017 10:43:09 -0400
Received: from mail-pg0-f41.google.com ([74.125.83.41]:32962 "EHLO
 mail-pg0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1753358AbdEIOnI (ORCPT
 <rfc822;stable@vger.kernel.org>); Tue, 9 May 2017 10:43:08 -0400
Received: by mail-pg0-f41.google.com with SMTP id u187so782619pgb.0
 for <stable@vger.kernel.org>; Tue, 09 May 2017 07:43:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=k6apPWwn6C2ik9sC9TMQBFeLJX704EIElACxw1xmBuw=;
 b=CzRyu80hokcTteLg0weKCD3pcte825d74+7mCy1KYVTf/NCOi0sqAFC5QYobR4mGeX
 VOYhqg6+qK4tgFHewQz3S9jU4+v/kndxmaCuMWytYELl9fKK0wgxyv1TmFt2B4+R7v7/
 rP5pkbO6QUw+5pU2lUgjX05kX/az3vWRoOmvk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=k6apPWwn6C2ik9sC9TMQBFeLJX704EIElACxw1xmBuw=;
 b=Mg5mAblLbvYwyc3qhn0bV7xqyjix+N37PCFOAvQAXVY1Ksk6KVj6/xzifwIuHlsjCa
 N6Pn6EMJ7E2igtJxQUP7crS2Li1Vc8xOG89vD6FTlpnZxlWK7rNAVP3uXZDUPOb3T7in
 xlKdFjB6JpUh7Nee5Iak1HKp9p3E+ZfGY9CcNbTKw1ePKT4wE7xINEaTkKCYLHCBYMTu
 viu/GqZs+sOZoB2NWPDFSeXvB1H4n5tvkmsYkhsJpwIZGKbopeWjxGt/nyY+htXNme9i
 kOwWtTe5C/pFRvyyhrIDpyUmpimcBG17XDmbl9EO/213MO4GJITWwiDDSstY9vF1nfKo
 i2Yg==
X-Gm-Message-State: AODbwcDhE2EsWA4bsZngL9qHJRV1m2cLtqU55zWqQUjYe6t3UnT5rt5E
 p7i0XYmidUCWMWhh
X-Received: by 10.99.158.82 with SMTP id r18mr479975pgo.231.1494340987837;
 Tue, 09 May 2017 07:43:07 -0700 (PDT)
Received: from localhost.localdomain ([106.51.135.126])
 by smtp.gmail.com with ESMTPSA id
 11sm341811pfj.59.2017.05.09.07.43.06
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Tue, 09 May 2017 07:43:07 -0700 (PDT)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: [PATCH for-3.18 06/24] KEYS: Fix ASN.1 indefinite length object
 parsing
Date: Tue,  9 May 2017 20:12:30 +0530
Message-Id: <1494340968-17152-7-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org>
References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: David Howells <dhowells@redhat.com>

commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream.

This fixes CVE-2016-0758.

In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor.  With a sufficiently large size indicated, the check:

	datalen - dp < 2

may then fail due to integer overflow.

Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.

Whilst we're at it, make the following changes:

 (1) Check the maximum size of extended length does not exceed the capacity
     of the variable it's being stored in (len) rather than the type that
     variable is assumed to be (size_t).

 (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
     integer 0.

 (3) To reduce confusion, move the initialisation of len outside of:

	for (len = 0; n > 0; n--) {

     since it doesn't have anything to do with the loop counter n.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 lib/asn1_decoder.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

-- 
2.7.4

diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
index d60ce8a53650..806c5b6b4b3a 100644
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -69,7 +69,7 @@ next_tag:
 
 	/* Extract a tag from the data */
 	tag = data[dp++];
-	if (tag == 0) {
+	if (tag == ASN1_EOC) {
 		/* It appears to be an EOC. */
 		if (data[dp++] != 0)
 			goto invalid_eoc;
@@ -91,10 +91,8 @@ next_tag:
 
 	/* Extract the length */
 	len = data[dp++];
-	if (len <= 0x7f) {
-		dp += len;
-		goto next_tag;
-	}
+	if (len <= 0x7f)
+		goto check_length;
 
 	if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
 		/* Indefinite length */
@@ -105,14 +103,18 @@ next_tag:
 	}
 
 	n = len - 0x80;
-	if (unlikely(n > sizeof(size_t) - 1))
+	if (unlikely(n > sizeof(len) - 1))
 		goto length_too_long;
 	if (unlikely(n > datalen - dp))
 		goto data_overrun_error;
-	for (len = 0; n > 0; n--) {
+	len = 0;
+	for (; n > 0; n--) {
 		len <<= 8;
 		len |= data[dp++];
 	}
+check_length:
+	if (len > datalen - dp)
+		goto data_overrun_error;
 	dp += len;
 	goto next_tag;